mastercontroller 1.3.0 → 1.3.2

package/security/SessionSecurity.js

@@ -25,8 +25,8 @@ class SessionSecurity {
     this.domain = options.domain || null;
     this.path = options.path || '/';
 
-    // Session fingerprinting
-    this.useFingerprint = options.useFingerprint !== false;
+    // Session fingerprinting (disabled by default like ASP.NET Core)
+    this.useFingerprint = options.useFingerprint === true;
 
     // Start cleanup interval
     this._startCleanup();
@@ -407,8 +407,106 @@ const SESSION_BEST_PRACTICES = {
   }
 };
 
+// MasterController Integration
+const master = require('../MasterControl');
+
+// Create MasterController-compatible wrapper
+class MasterSessionSecurity {
+  constructor() {
+    this._instance = null;
+    this._options = {};
+  }
+
+  /**
+   * Initialize session security (Rails/Django style)
+   * Auto-registers with middleware pipeline
+   */
+  init(options = {}) {
+    this._options = options;
+    this._instance = new SessionSecurity(options);
+
+    // Auto-register with pipeline if available
+    if (master.pipeline) {
+      master.pipeline.use(this._instance.middleware());
+    }
+
+    return this;
+  }
+
+  /**
+   * Get middleware function
+   */
+  middleware() {
+    if (!this._instance) {
+      this.init();
+    }
+    return this._instance.middleware();
+  }
+
+  /**
+   * Destroy session
+   */
+  destroy(req, res) {
+    if (!this._instance) {
+      throw new Error('SessionSecurity not initialized. Call master.session.init() first.');
+    }
+    return this._instance.destroySession(req, res);
+  }
+
+  /**
+   * Get session by ID
+   */
+  getSession(sessionId) {
+    if (!this._instance) {
+      throw new Error('SessionSecurity not initialized. Call master.session.init() first.');
+    }
+    return this._instance.getSession(sessionId);
+  }
+
+  /**
+   * Touch session (extend expiry)
+   */
+  touch(sessionId) {
+    if (!this._instance) {
+      throw new Error('SessionSecurity not initialized. Call master.session.init() first.');
+    }
+    return this._instance.touch(sessionId);
+  }
+
+  /**
+   * Get session count (monitoring)
+   */
+  getSessionCount() {
+    if (!this._instance) {
+      throw new Error('SessionSecurity not initialized. Call master.session.init() first.');
+    }
+    return this._instance.getSessionCount();
+  }
+
+  /**
+   * Clear all sessions (testing only)
+   */
+  clearAllSessions() {
+    if (!this._instance) {
+      throw new Error('SessionSecurity not initialized. Call master.session.init() first.');
+    }
+    return this._instance.clearAllSessions();
+  }
+
+  /**
+   * Get recommended settings for environment
+   */
+  getBestPractices(env) {
+    return SESSION_BEST_PRACTICES[env] || SESSION_BEST_PRACTICES.development;
+  }
+}
+
+// Note: Auto-registration with MasterController happens in init() to avoid circular dependency
+// This is called when master.session.init() is invoked in config.js
+
 module.exports = {
   SessionSecurity,
+  MasterSessionSecurity,
   session,
   createSessionMiddleware,
   destroySession,

package/test/security/filters.test.js

@@ -0,0 +1,276 @@
+// Action Filter Tests for MasterActionFilters.js
+const master = require('../../MasterControl');
+require('../../MasterActionFilters');
+
+describe('Action Filters - Fixed Architecture', () => {
+
+	class TestController {
+		constructor() {
+			this.__namespace = 'test';
+			this._beforeActionFilters = [];
+			this._afterActionFilters = [];
+
+			// Import methods from MasterActionFilters
+			Object.assign(this, master.controllerExtensions);
+		}
+	}
+
+	describe('Multiple Filters Support', () => {
+		test('should support multiple beforeAction filters', () => {
+			const controller = new TestController();
+
+			controller.beforeAction(['show'], () => console.log('Filter 1'));
+			controller.beforeAction(['show'], () => console.log('Filter 2'));
+			controller.beforeAction(['edit'], () => console.log('Filter 3'));
+
+			// Should have 3 filters
+			expect(controller._beforeActionFilters).toHaveLength(3);
+		});
+
+		test('should not overwrite previous filters', () => {
+			const controller = new TestController();
+
+			controller.beforeAction(['show'], () => 'first');
+			controller.beforeAction(['show'], () => 'second');
+
+			// Both filters should exist
+			expect(controller._beforeActionFilters[0].callBack()).toBe('first');
+			expect(controller._beforeActionFilters[1].callBack()).toBe('second');
+		});
+
+		test('should support multiple afterAction filters', () => {
+			const controller = new TestController();
+
+			controller.afterAction(['index'], () => {});
+			controller.afterAction(['index'], () => {});
+
+			expect(controller._afterActionFilters).toHaveLength(2);
+		});
+	});
+
+	describe('Instance-Level Filters (Not Global)', () => {
+		test('should not share filters between controllers', () => {
+			const controller1 = new TestController();
+			const controller2 = new TestController();
+
+			controller1.__namespace = 'users';
+			controller2.__namespace = 'posts';
+
+			controller1.beforeAction(['show'], () => 'users filter');
+			controller2.beforeAction(['index'], () => 'posts filter');
+
+			// Each controller has independent filters
+			expect(controller1._beforeActionFilters).toHaveLength(1);
+			expect(controller2._beforeActionFilters).toHaveLength(1);
+
+			expect(controller1._beforeActionFilters[0].namespace).toBe('users');
+			expect(controller2._beforeActionFilters[0].namespace).toBe('posts');
+		});
+
+		test('should not have race conditions between requests', () => {
+			// Simulate two concurrent requests
+			const request1Controller = new TestController();
+			const request2Controller = new TestController();
+
+			request1Controller.__namespace = 'users';
+			request2Controller.__namespace = 'admin';
+
+			request1Controller.beforeAction(['show'], () => 'request 1');
+			request2Controller.beforeAction(['dashboard'], () => 'request 2');
+
+			// Each request has its own filter state
+			expect(request1Controller._beforeActionFilters[0].callBack()).toBe('request 1');
+			expect(request2Controller._beforeActionFilters[0].callBack()).toBe('request 2');
+		});
+	});
+
+	describe('Filter Execution', () => {
+		test('should execute all matching filters in order', async () => {
+			const controller = new TestController();
+			const executionOrder = [];
+
+			controller.beforeAction(['show'], () => executionOrder.push('first'));
+			controller.beforeAction(['show'], () => executionOrder.push('second'));
+			controller.beforeAction(['show'], () => executionOrder.push('third'));
+
+			const request = {
+				toAction: 'show',
+				response: { _headerSent: false, headersSent: false }
+			};
+
+			await controller.__callBeforeAction(controller, request, null);
+
+			expect(executionOrder).toEqual(['first', 'second', 'third']);
+		});
+
+		test('should only execute filters for matching actions', async () => {
+			const controller = new TestController();
+			const executed = [];
+
+			controller.beforeAction(['show'], () => executed.push('show'));
+			controller.beforeAction(['edit'], () => executed.push('edit'));
+			controller.beforeAction(['destroy'], () => executed.push('destroy'));
+
+			const request = {
+				toAction: 'show',
+				response: { _headerSent: false, headersSent: false }
+			};
+
+			await controller.__callBeforeAction(controller, request, null);
+
+			expect(executed).toEqual(['show']);
+		});
+	});
+
+	describe('Async Support', () => {
+		test('should support async filters', async () => {
+			const controller = new TestController();
+			let asyncCompleted = false;
+
+			controller.beforeAction(['index'], async () => {
+				await new Promise(resolve => setTimeout(resolve, 10));
+				asyncCompleted = true;
+			});
+
+			const request = {
+				toAction: 'index',
+				response: { _headerSent: false, headersSent: false }
+			};
+
+			await controller.__callBeforeAction(controller, request, null);
+
+			expect(asyncCompleted).toBe(true);
+		});
+
+		test('should await each filter before continuing', async () => {
+			const controller = new TestController();
+			const order = [];
+
+			controller.beforeAction(['index'], async () => {
+				order.push('start-1');
+				await new Promise(resolve => setTimeout(resolve, 20));
+				order.push('end-1');
+			});
+
+			controller.beforeAction(['index'], async () => {
+				order.push('start-2');
+				await new Promise(resolve => setTimeout(resolve, 10));
+				order.push('end-2');
+			});
+
+			const request = {
+				toAction: 'index',
+				response: { _headerSent: false, headersSent: false }
+			};
+
+			await controller.__callBeforeAction(controller, request, null);
+
+			// Should execute in order, awaiting each
+			expect(order).toEqual(['start-1', 'end-1', 'start-2', 'end-2']);
+		});
+	});
+
+	describe('Error Handling', () => {
+		test('should catch and log filter errors', async () => {
+			const controller = new TestController();
+
+			controller.beforeAction(['index'], () => {
+				throw new Error('Filter error');
+			});
+
+			const request = {
+				toAction: 'index',
+				response: {
+					_headerSent: false,
+					headersSent: false,
+					writeHead: jest.fn(),
+					end: jest.fn()
+				}
+			};
+
+			await expect(
+				controller.__callBeforeAction(controller, request, null)
+			).rejects.toThrow('Filter error');
+
+			// Should send error response
+			expect(request.response.writeHead).toHaveBeenCalledWith(500, expect.any(Object));
+		});
+
+		test('should stop filter chain on error', async () => {
+			const controller = new TestController();
+			const executed = [];
+
+			controller.beforeAction(['index'], () => {
+				executed.push('first');
+				throw new Error('Stop here');
+			});
+
+			controller.beforeAction(['index'], () => {
+				executed.push('second'); // Should not execute
+			});
+
+			const request = {
+				toAction: 'index',
+				response: {
+					_headerSent: false,
+					headersSent: false,
+					writeHead: jest.fn(),
+					end: jest.fn()
+				}
+			};
+
+			try {
+				await controller.__callBeforeAction(controller, request, null);
+			} catch (e) {}
+
+			expect(executed).toEqual(['first']);
+		});
+	});
+
+	describe('Timeout Protection', () => {
+		test('should timeout slow filters', async () => {
+			const controller = new TestController();
+
+			controller.beforeAction(['index'], async () => {
+				// Simulate slow operation (6 seconds, timeout is 5 seconds)
+				await new Promise(resolve => setTimeout(resolve, 6000));
+			});
+
+			const request = {
+				toAction: 'index',
+				response: {
+					_headerSent: false,
+					headersSent: false,
+					writeHead: jest.fn(),
+					end: jest.fn()
+				}
+			};
+
+			await expect(
+				controller.__callBeforeAction(controller, request, null)
+			).rejects.toThrow(/timeout/i);
+		}, 10000); // Increase test timeout
+	});
+
+	describe('Variable Shadowing Fix', () => {
+		test('should not have variable shadowing bugs', async () => {
+			const controller = new TestController();
+			const actions = ['show', 'edit', 'destroy'];
+
+			// This used to cause bugs due to variable shadowing
+			controller.beforeAction(actions, (req) => {
+				// Action list should be properly iterated
+			});
+
+			const request = {
+				toAction: 'edit',
+				response: { _headerSent: false, headersSent: false }
+			};
+
+			// Should execute without errors
+			await expect(
+				controller.__callBeforeAction(controller, request, null)
+			).resolves.not.toThrow();
+		});
+	});
+});

package/test/security/https.test.js

@@ -0,0 +1,214 @@
+// HTTPS and Open Redirect Protection Tests
+const master = require('../../MasterControl');
+require('../../MasterAction');
+
+describe('HTTPS and Open Redirect Protection', () => {
+
+	class MockController {
+		constructor() {
+			Object.assign(this, master.controllerExtensions);
+			this.__requestObject = {
+				request: {
+					connection: {},
+					headers: {}
+				},
+				response: {
+					_headerSent: false,
+					headersSent: false,
+					writeHead: jest.fn(),
+					end: jest.fn(),
+					setHeader: jest.fn()
+				},
+				pathName: '/login'
+			};
+		}
+
+		redirectTo(url) {
+			this.__requestObject.response.writeHead(302, { 'Location': url });
+			this.__requestObject.response.end();
+		}
+
+		returnError(code, message) {
+			this.__requestObject.response.writeHead(code, { 'Content-Type': 'application/json' });
+			this.__requestObject.response.end(JSON.stringify({ error: message }));
+		}
+	}
+
+	describe('requireHTTPS() - Open Redirect Fix', () => {
+		beforeEach(() => {
+			// Setup test environment
+			master.env = master.env || {};
+			master.env.server = {
+				hostname: 'example.com',
+				httpsPort: 443
+			};
+		});
+
+		test('should NOT use Host header from request', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			controller.__requestObject.request.headers.host = 'evil.com';
+
+			controller.requireHTTPS();
+
+			// Should redirect to configured host, NOT Host header
+			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+
+			expect(redirectCall).toBeTruthy();
+			expect(redirectCall[1].Location).toBe('https://example.com/login');
+			expect(redirectCall[1].Location).not.toContain('evil.com');
+		});
+
+		test('should use configured hostname', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+
+			master.env.server.hostname = 'myapp.com';
+
+			controller.requireHTTPS();
+
+			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+
+			expect(redirectCall[1].Location).toBe('https://myapp.com/login');
+		});
+
+		test('should include port if not 443', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+
+			master.env.server.hostname = 'example.com';
+			master.env.server.httpsPort = 8443;
+
+			controller.requireHTTPS();
+
+			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+
+			expect(redirectCall[1].Location).toBe('https://example.com:8443/login');
+		});
+
+		test('should return error if hostname not configured', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+
+			master.env.server.hostname = 'localhost';
+
+			const result = controller.requireHTTPS();
+
+			expect(result).toBe(false);
+			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(500, expect.any(Object));
+		});
+
+		test('should allow request if already HTTPS', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = true;
+
+			const result = controller.requireHTTPS();
+
+			expect(result).toBe(true);
+			expect(controller.__requestObject.response.writeHead).not.toHaveBeenCalled();
+		});
+
+		test('should detect HTTPS from X-Forwarded-Proto header', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			controller.__requestObject.request.headers['x-forwarded-proto'] = 'https';
+
+			const result = controller.requireHTTPS();
+
+			expect(result).toBe(true);
+		});
+	});
+
+	describe('isSecure()', () => {
+		test('should return true for encrypted connection', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = true;
+
+			expect(controller.isSecure()).toBe(true);
+		});
+
+		test('should return true for X-Forwarded-Proto: https', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.headers['x-forwarded-proto'] = 'https';
+
+			expect(controller.isSecure()).toBe(true);
+		});
+
+		test('should return false for HTTP', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			controller.__requestObject.request.headers['x-forwarded-proto'] = 'http';
+
+			expect(controller.isSecure()).toBe(false);
+		});
+	});
+
+	describe('Real-World Attack Scenarios', () => {
+		beforeEach(() => {
+			master.env = master.env || {};
+			master.env.server = {
+				hostname: 'legitimate.com',
+				httpsPort: 443
+			};
+		});
+
+		test('should prevent phishing via Host header manipulation', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+
+			// Attacker sets malicious Host header
+			controller.__requestObject.request.headers.host = 'phishing-site.com';
+			controller.__requestObject.pathName = '/login';
+
+			controller.requireHTTPS();
+
+			// Should redirect to legitimate site, not attacker's
+			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+
+			expect(redirectCall[1].Location).toBe('https://legitimate.com/login');
+			expect(redirectCall[1].Location).not.toContain('phishing-site.com');
+		});
+
+		test('should prevent redirect to external domain', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+
+			// Attacker tries various Host header values
+			const maliciousHosts = [
+				'evil.com',
+				'attacker.net',
+				'phishing.org',
+				'legitimate.com.evil.com'
+			];
+
+			maliciousHosts.forEach(host => {
+				controller.__requestObject.request.headers.host = host;
+				controller.__requestObject.response.writeHead.mockClear();
+
+				controller.requireHTTPS();
+
+				const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+				const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+
+				expect(redirectCall[1].Location).toBe('https://legitimate.com/login');
+			});
+		});
+
+		test('should preserve original path in redirect', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			controller.__requestObject.pathName = '/admin/users/123';
+
+			controller.requireHTTPS();
+
+			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+
+			expect(redirectCall[1].Location).toBe('https://legitimate.com/admin/users/123');
+		});
+	});
+});