mastercontroller 1.3.0 → 1.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/settings.local.json +4 -1
- package/MasterAction.js +137 -23
- package/MasterActionFilters.js +197 -92
- package/MasterControl.js +265 -44
- package/MasterHtml.js +226 -143
- package/MasterPipeline.js +1 -1
- package/MasterRequest.js +202 -24
- package/MasterSocket.js +6 -1
- package/MasterTools.js +428 -13
- package/README.md +2364 -309
- package/SECURITY-FIXES-v1.3.2.md +614 -0
- package/docs/SECURITY-AUDIT-ACTION-SYSTEM.md +1374 -0
- package/docs/SECURITY-AUDIT-HTTPS.md +1056 -0
- package/docs/SECURITY-QUICKSTART.md +375 -0
- package/docs/timeout-and-error-handling.md +8 -6
- package/package.json +1 -1
- package/security/SecurityEnforcement.js +241 -0
- package/security/SessionSecurity.js +100 -2
- package/test/security/filters.test.js +276 -0
- package/test/security/https.test.js +214 -0
- package/test/security/path-traversal.test.js +222 -0
- package/test/security/xss.test.js +190 -0
- package/MasterSession.js +0 -208
- package/docs/server-setup-hostname-binding.md +0 -24
- package/docs/server-setup-http.md +0 -32
- package/docs/server-setup-https-credentials.md +0 -32
- package/docs/server-setup-https-env-tls-sni.md +0 -62
- package/docs/server-setup-nginx-reverse-proxy.md +0 -46
|
@@ -1,32 +0,0 @@
|
|
|
1
|
-
## Server setup: HTTPS with direct credentials
|
|
2
|
-
|
|
3
|
-
Pass key/cert (and optional chain/ca) directly to `setupServer('https', credentials)`.
|
|
4
|
-
|
|
5
|
-
### server.js (HTTPS credentials)
|
|
6
|
-
```js
|
|
7
|
-
const fs = require('fs');
|
|
8
|
-
const master = require('./MasterControl');
|
|
9
|
-
|
|
10
|
-
master.root = __dirname;
|
|
11
|
-
master.environmentType = process.env.NODE_ENV || 'production';
|
|
12
|
-
|
|
13
|
-
const credentials = {
|
|
14
|
-
key: fs.readFileSync('/etc/ssl/private/site.key'),
|
|
15
|
-
cert: fs.readFileSync('/etc/ssl/certs/site.crt'),
|
|
16
|
-
ca: fs.readFileSync('/etc/ssl/certs/chain.pem'),
|
|
17
|
-
minVersion: 'TLSv1.2',
|
|
18
|
-
honorCipherOrder: true,
|
|
19
|
-
ALPNProtocols: ['h2', 'http/1.1']
|
|
20
|
-
};
|
|
21
|
-
|
|
22
|
-
const server = master.setupServer('https', credentials);
|
|
23
|
-
master.start(server);
|
|
24
|
-
master.serverSettings({ httpPort: 8443, hostname: '0.0.0.0', requestTimeout: 60000 });
|
|
25
|
-
master.startMVC('app');
|
|
26
|
-
```
|
|
27
|
-
|
|
28
|
-
### Notes
|
|
29
|
-
- Use a high port (e.g., 8443) to avoid running as root, or grant `CAP_NET_BIND_SERVICE` if binding to 443.
|
|
30
|
-
- Strong defaults are ensured if you omit them, but explicitly setting them is recommended.
|
|
31
|
-
- For multiple domains, see the TLS/SNI guide.
|
|
32
|
-
|
|
@@ -1,62 +0,0 @@
|
|
|
1
|
-
## Server setup: HTTPS via environment TLS (with SNI and live reload)
|
|
2
|
-
|
|
3
|
-
This uses `config/environments/env.<env>.json` to configure TLS, SNI (multi-domain), HSTS, and watches cert files for live reload.
|
|
4
|
-
|
|
5
|
-
### Example env.production.json
|
|
6
|
-
```json
|
|
7
|
-
{
|
|
8
|
-
"server": {
|
|
9
|
-
"httpPort": 8443,
|
|
10
|
-
"hostname": "0.0.0.0",
|
|
11
|
-
"requestTimeout": 60000,
|
|
12
|
-
"tls": {
|
|
13
|
-
"hsts": true,
|
|
14
|
-
"hstsMaxAge": 15552000,
|
|
15
|
-
"minVersion": "TLSv1.2",
|
|
16
|
-
"honorCipherOrder": true,
|
|
17
|
-
"alpnProtocols": ["h2", "http/1.1"],
|
|
18
|
-
"default": {
|
|
19
|
-
"keyPath": "/etc/ssl/private/site.key",
|
|
20
|
-
"certPath": "/etc/ssl/certs/site.crt",
|
|
21
|
-
"caPath": "/etc/ssl/certs/chain.pem"
|
|
22
|
-
},
|
|
23
|
-
"sni": {
|
|
24
|
-
"example.com": {
|
|
25
|
-
"keyPath": "/etc/ssl/private/example.key",
|
|
26
|
-
"certPath": "/etc/ssl/certs/example.crt",
|
|
27
|
-
"caPath": "/etc/ssl/certs/chain.pem"
|
|
28
|
-
},
|
|
29
|
-
"api.example.com": {
|
|
30
|
-
"keyPath": "/etc/ssl/private/api.key",
|
|
31
|
-
"certPath": "/etc/ssl/certs/api.crt",
|
|
32
|
-
"caPath": "/etc/ssl/certs/chain.pem"
|
|
33
|
-
}
|
|
34
|
-
}
|
|
35
|
-
}
|
|
36
|
-
}
|
|
37
|
-
}
|
|
38
|
-
```
|
|
39
|
-
|
|
40
|
-
### server.js (HTTPS from env)
|
|
41
|
-
```js
|
|
42
|
-
const master = require('./MasterControl');
|
|
43
|
-
|
|
44
|
-
master.root = __dirname;
|
|
45
|
-
master.environmentType = process.env.NODE_ENV || 'production';
|
|
46
|
-
|
|
47
|
-
// No credentials passed; MasterControl will auto-load TLS from env
|
|
48
|
-
const server = master.setupServer('https');
|
|
49
|
-
master.start(server);
|
|
50
|
-
master.serverSettings(master.env.server);
|
|
51
|
-
master.startMVC('app');
|
|
52
|
-
|
|
53
|
-
// Optional: HTTP->HTTPS redirect (listen on 80)
|
|
54
|
-
// master.startHttpToHttpsRedirect(80, '0.0.0.0');
|
|
55
|
-
```
|
|
56
|
-
|
|
57
|
-
### How it works
|
|
58
|
-
- `default`: certs used when SNI domain does not match any entry.
|
|
59
|
-
- `sni`: per-domain certificates; the server chooses the right cert via `SNICallback`.
|
|
60
|
-
- Live reload: when any `keyPath`/`certPath`/`caPath` changes, the secure context is rebuilt in-memory (no restart needed).
|
|
61
|
-
- HSTS: when enabled, responses over HTTPS include `strict-transport-security` with the configured max-age.
|
|
62
|
-
|
|
@@ -1,46 +0,0 @@
|
|
|
1
|
-
## Server setup: Nginx reverse proxy with HTTP→HTTPS redirect
|
|
2
|
-
|
|
3
|
-
Recommended production pattern: Node app on a high port (HTTP), Nginx on 80/443 handling TLS and redirects.
|
|
4
|
-
|
|
5
|
-
### server.js (app on HTTP localhost:3000)
|
|
6
|
-
```js
|
|
7
|
-
const master = require('./MasterControl');
|
|
8
|
-
|
|
9
|
-
master.root = __dirname;
|
|
10
|
-
master.environmentType = process.env.NODE_ENV || 'production';
|
|
11
|
-
|
|
12
|
-
const server = master.setupServer('http');
|
|
13
|
-
master.start(server);
|
|
14
|
-
master.serverSettings({ httpPort: 3000, hostname: '127.0.0.1', requestTimeout: 60000 });
|
|
15
|
-
master.startMVC('app');
|
|
16
|
-
```
|
|
17
|
-
|
|
18
|
-
### Nginx config
|
|
19
|
-
```nginx
|
|
20
|
-
server {
|
|
21
|
-
listen 80;
|
|
22
|
-
server_name yourdomain.com;
|
|
23
|
-
return 301 https://$host$request_uri;
|
|
24
|
-
}
|
|
25
|
-
|
|
26
|
-
server {
|
|
27
|
-
listen 443 ssl http2;
|
|
28
|
-
server_name yourdomain.com;
|
|
29
|
-
|
|
30
|
-
ssl_certificate /etc/letsencrypt/live/yourdomain.com/fullchain.pem;
|
|
31
|
-
ssl_certificate_key /etc/letsencrypt/live/yourdomain.com/privkey.pem;
|
|
32
|
-
|
|
33
|
-
location / {
|
|
34
|
-
proxy_pass http://127.0.0.1:3000;
|
|
35
|
-
proxy_set_header Host $host;
|
|
36
|
-
proxy_set_header X-Real-IP $remote_addr;
|
|
37
|
-
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
38
|
-
proxy_set_header X-Forwarded-Proto $scheme;
|
|
39
|
-
}
|
|
40
|
-
}
|
|
41
|
-
```
|
|
42
|
-
|
|
43
|
-
### Notes
|
|
44
|
-
- Use certbot or another ACME client to manage certificates and renewals automatically.
|
|
45
|
-
- This keeps Node unprivileged (no need to bind to 443) and simplifies TLS.
|
|
46
|
-
|