mastercontroller 1.3.1 → 1.3.2

package/docs/SECURITY-QUICKSTART.md

@@ -0,0 +1,375 @@
+# Security Quick Start Guide
+
+**Goal:** Enable automatic security enforcement in 5 minutes
+
+---
+
+## Step 1: Update config/initializers/config.js
+
+Add these lines at the top of your config file:
+
+```javascript
+// config/initializers/config.js
+var master = require('mastercontroller');
+const SecurityEnforcement = require('mastercontroller/security/SecurityEnforcement');
+
+// ===========================
+// AUTOMATIC SECURITY ENFORCEMENT
+// ===========================
+
+const securityConfig = SecurityEnforcement.init({
+    csrf: true,                // Auto-validate CSRF tokens
+    sanitizeInputs: true,      // Auto-sanitize all user inputs
+    httpsOnly: true,           // Require HTTPS in production
+    csrfExcludePaths: [        // Paths that don't need CSRF (webhooks, APIs)
+        '/api/webhook',
+        '/api/public'
+    ]
+});
+
+// Register security middleware (IMPORTANT!)
+master.pipeline.use(SecurityEnforcement.middleware(securityConfig));
+
+// ... rest of your config
+```
+
+---
+
+## Step 2: Configure Hostname
+
+Add hostname to your production environment config:
+
+```json
+// config/environments/env.production.json
+{
+    "server": {
+        "hostname": "yourapp.com",
+        "httpsPort": 443,
+        "requestTimeout": 120000
+    },
+    "error": {
+        "showStackTrace": false
+    }
+}
+```
+
+---
+
+## Step 3: Include CSRF Tokens in Forms
+
+### HTML Forms
+
+```html
+<form method="POST" action="/users">
+    <!-- Add CSRF token -->
+    <input type="hidden" name="_csrf" value="<%= this.generateCSRFToken() %>">
+
+    <input type="text" name="username">
+    <input type="email" name="email">
+    <button type="submit">Create User</button>
+</form>
+```
+
+### AJAX Requests
+
+```javascript
+// Get CSRF token from meta tag
+const csrfToken = document.querySelector('meta[name="csrf-token"]').content;
+
+// Include in request
+fetch('/api/users', {
+    method: 'POST',
+    headers: {
+        'Content-Type': 'application/json',
+        'X-CSRF-Token': csrfToken
+    },
+    body: JSON.stringify({
+        username: 'john',
+        email: 'john@example.com'
+    })
+});
+```
+
+### Add CSRF Meta Tag to Layout
+
+```html
+<!-- app/views/layouts/master.html -->
+<!DOCTYPE html>
+<html>
+<head>
+    <meta name="csrf-token" content="<%= this.generateCSRFToken() %>">
+    <!-- ... other meta tags -->
+</head>
+<body>
+    <%= yield %>
+</body>
+</html>
+```
+
+---
+
+## Step 4: Test Your Security
+
+### Test CSRF Protection
+
+```bash
+# Should FAIL (no CSRF token)
+curl -X POST http://localhost:3000/users \
+  -H "Content-Type: application/json" \
+  -d '{"username":"test"}'
+
+# Should SUCCEED (with CSRF token)
+curl -X POST http://localhost:3000/users \
+  -H "Content-Type: application/json" \
+  -H "X-CSRF-Token: YOUR_TOKEN_HERE" \
+  -d '{"username":"test"}'
+```
+
+### Test Input Sanitization
+
+```javascript
+// Try to inject XSS
+const form = {
+    comment: '<script>alert("XSS")</script>'
+};
+
+// After security enforcement, this will be sanitized automatically:
+// "<script>alert("XSS")</script>" becomes "&lt;script&gt;alert(&quot;XSS&quot;)&lt;/script&gt;"
+```
+
+### Test HTTPS Enforcement
+
+```bash
+# In production, HTTP request should redirect to HTTPS
+curl -I http://yourapp.com/admin
+
+# Should return:
+# HTTP/1.1 301 Moved Permanently
+# Location: https://yourapp.com/admin
+```
+
+---
+
+## Step 5: Remove Manual Security Checks (Optional)
+
+Since security is now automatic, you can remove redundant checks:
+
+### Before (Manual)
+
+```javascript
+class UsersController {
+    create(obj) {
+        // Manual security checks (can remove now)
+        if (!this.validateCSRF()) {
+            return this.returnError(403, 'CSRF invalid');
+        }
+
+        if (!this.requireHTTPS()) {
+            return;
+        }
+
+        const username = this.sanitizeInput(obj.params.formData.username);
+        const email = this.sanitizeInput(obj.params.formData.email);
+
+        // ... create user
+    }
+}
+```
+
+### After (Automatic)
+
+```javascript
+class UsersController {
+    create(obj) {
+        // All security checks done automatically!
+        // Just handle the business logic
+        const username = obj.params.formData.username; // Already sanitized
+        const email = obj.params.formData.email;       // Already sanitized
+
+        const user = this.userContext.create({ username, email });
+        this.json({ user });
+    }
+}
+```
+
+---
+
+## Common Issues
+
+### Issue 1: CSRF Token Missing
+
+**Error:** `403 Forbidden - CSRF token required`
+
+**Solution:** Include CSRF token in form or header:
+
+```html
+<!-- Option 1: Form field -->
+<input type="hidden" name="_csrf" value="<%= this.generateCSRFToken() %>">
+
+<!-- Option 2: AJAX header -->
+<script>
+fetch(url, {
+    headers: { 'X-CSRF-Token': '<%= this.generateCSRFToken() %>' }
+});
+</script>
+```
+
+### Issue 2: Webhook Failing CSRF Check
+
+**Error:** External webhook blocked by CSRF
+
+**Solution:** Exclude webhook path from CSRF:
+
+```javascript
+const securityConfig = SecurityEnforcement.init({
+    csrf: true,
+    csrfExcludePaths: [
+        '/api/webhook',           // Your webhook path
+        '/api/stripe/webhook',    // Stripe webhook
+        '/api/github/webhook'     // GitHub webhook
+    ]
+});
+```
+
+### Issue 3: HTTPS Redirect Loop
+
+**Error:** Infinite redirect between HTTP and HTTPS
+
+**Solution:** Configure hostname correctly:
+
+```json
+{
+    "server": {
+        "hostname": "yourapp.com",  // NOT "localhost"
+        "httpsPort": 443
+    }
+}
+```
+
+### Issue 4: Input Sanitization Breaking HTML
+
+**Error:** Rich text editor content gets sanitized
+
+**Solution:** Disable sanitization for specific paths:
+
+```javascript
+// Coming in v1.3.3 - For now, manually handle rich text:
+class PostsController {
+    create(obj) {
+        // For rich text, use different validation
+        const body = obj.params.formData.body;
+
+        // Validate allowed HTML tags only
+        const result = this.validate(body, {
+            type: 'html',
+            allowedTags: ['p', 'strong', 'em', 'a', 'ul', 'li']
+        });
+
+        if (!result.valid) {
+            return this.returnError(400, 'Invalid HTML');
+        }
+
+        // ... create post
+    }
+}
+```
+
+---
+
+## Configuration Options
+
+### Full Configuration
+
+```javascript
+const securityConfig = SecurityEnforcement.init({
+    // CSRF Protection
+    csrf: true,                     // Enable CSRF validation
+    csrfExcludePaths: [             // Paths that skip CSRF check
+        '/api/webhook',
+        '/api/public'
+    ],
+
+    // Input Sanitization
+    sanitizeInputs: true,           // Auto-sanitize all inputs
+
+    // HTTPS Enforcement
+    httpsOnly: true,                // Redirect HTTP to HTTPS (production only)
+
+    // Future Features
+    autoEscape: true,               // Auto-escape template output (v1.3.3)
+
+    // Security Headers (always enabled)
+    headers: {
+        xss: true,                  // X-XSS-Protection
+        frameOptions: true,         // X-Frame-Options
+        contentType: true,          // X-Content-Type-Options
+        referrer: true,             // Referrer-Policy
+        csp: true,                  // Content-Security-Policy
+        permissions: true           // Permissions-Policy
+    }
+});
+```
+
+### Minimal Configuration (Development)
+
+```javascript
+// For development/testing - relaxed security
+const securityConfig = SecurityEnforcement.init({
+    csrf: false,                    // Disable CSRF in development
+    sanitizeInputs: true,           // Keep sanitization
+    httpsOnly: false                // Allow HTTP in development
+});
+```
+
+---
+
+## Security Checklist
+
+Use this checklist to ensure your app is secure:
+
+- [ ] Security enforcement enabled in `config/initializers/config.js`
+- [ ] Hostname configured in `config/environments/env.production.json`
+- [ ] CSRF tokens included in all forms
+- [ ] CSRF meta tag in layout
+- [ ] AJAX requests include X-CSRF-Token header
+- [ ] Webhook paths excluded from CSRF
+- [ ] HTTPS certificate installed
+- [ ] Testing: CSRF validation works
+- [ ] Testing: XSS blocked in forms
+- [ ] Testing: Path traversal blocked
+- [ ] Testing: HTTPS redirect works
+
+---
+
+## Next Steps
+
+1. **Run Security Tests:**
+   ```bash
+   npm test test/security/
+   ```
+
+2. **Test with SSL Labs:**
+   ```
+   https://www.ssllabs.com/ssltest/analyze.html?d=yourapp.com
+   ```
+
+3. **Test with Security Headers:**
+   ```
+   https://securityheaders.com/?q=yourapp.com
+   ```
+
+4. **Read Full Documentation:**
+   - `SECURITY-FIXES-v1.3.2.md` - All fixes explained
+   - `SECURITY-AUDIT-ACTION-SYSTEM.md` - Security audit details
+   - `README.md` - General documentation
+
+---
+
+## Support
+
+**Issues:** https://github.com/alexanderrich/MasterController/issues
+**Security:** security@mastercontroller.com
+
+---
+
+**You're Done!** Your app now has industry-standard security.

package/docs/timeout-and-error-handling.md

@@ -1,6 +1,6 @@
 # Professional Timeout and Error Handling
 
-MasterController v2.0 includes production-ready timeout tracking and error page rendering inspired by Rails and Django.
+MasterController includes production-ready timeout tracking and error page rendering inspired by Rails and Django.
 
 ---
 
@@ -25,7 +25,7 @@ The timeout system provides per-request timeout tracking with configurable optio
 - **Detailed logging** of timeouts
 - **Custom timeout handlers**
 
-###Configuration
+### Configuration
 
 **config/initializers/config.js:**
 
@@ -339,7 +339,7 @@ Accept: application/json
 
 ## Migration Guide
 
-### From Old System (v1.x)
+### From Previous Versions
 
 **OLD - Static HTML in public/ folder:**
 
@@ -396,10 +396,12 @@ Accept: application/json
 # Create error templates directory
 mkdir -p public/errors
 
-# Copy provided templates
-cp node_modules/mastercontroller/templates/errors/*.html public/errors/
+# Move existing error pages
+mv public/404.html public/errors/
+mv public/500.html public/errors/
 
-# Or use your custom templates
+# Create missing templates
+touch public/errors/{400,401,403,405,422,429,502,503,504}.html
 ```
 
 ### Step 3: Update config.js

package/package.json

@@ -18,5 +18,5 @@
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },
-  "version": "1.3.1"
+  "version": "1.3.2"
 }

package/security/SecurityEnforcement.js

@@ -0,0 +1,241 @@
+// version 1.0 - Automatic Security Enforcement
+// This middleware automatically enforces security best practices
+var master = require('../MasterControl');
+const { logger } = require('../error/MasterErrorLogger');
+const { validateCSRFToken } = require('./SecurityMiddleware');
+const { sanitizeObject } = require('./MasterValidator');
+const { sanitizeUserHTML } = require('./MasterSanitizer');
+
+class SecurityEnforcement {
+
+	/**
+	 * Initialize automatic security enforcement
+	 * Call this in config/initializers/config.js:
+	 * master.security.enforce({ csrf: true, sanitizeInputs: true, httpsOnly: true });
+	 */
+	static init(options = {}) {
+		const config = {
+			// Auto-enforce CSRF on POST/PUT/DELETE
+			csrf: options.csrf !== false, // Default: true
+
+			// Auto-sanitize all request inputs
+			sanitizeInputs: options.sanitizeInputs !== false, // Default: true
+
+			// Require HTTPS in production
+			httpsOnly: options.httpsOnly !== false, // Default: true
+
+			// Auto-escape template output (future enhancement)
+			autoEscape: options.autoEscape !== false, // Default: true
+
+			// Excluded paths (no CSRF check)
+			csrfExcludePaths: options.csrfExcludePaths || ['/api/webhook'],
+
+			// Allowed origins for CORS
+			allowedOrigins: options.allowedOrigins || [],
+
+			...options
+		};
+
+		logger.info({
+			code: 'MC_SECURITY_ENFORCEMENT_INIT',
+			message: 'Security enforcement initialized',
+			config: {
+				csrf: config.csrf,
+				sanitizeInputs: config.sanitizeInputs,
+				httpsOnly: config.httpsOnly
+			}
+		});
+
+		return config;
+	}
+
+	/**
+	 * Get enforcement middleware for pipeline
+	 * Automatically validates CSRF, sanitizes inputs, enforces HTTPS
+	 */
+	static middleware(config = {}) {
+		return async (ctx, next) => {
+			// 1. HTTPS Enforcement (Production only)
+			if (config.httpsOnly && master.environmentType === 'production') {
+				if (!SecurityEnforcement._isSecure(ctx.request)) {
+					logger.warn({
+						code: 'MC_SECURITY_HTTPS_REQUIRED',
+						message: 'HTTPS required in production',
+						path: ctx.pathName,
+						ip: ctx.request.connection.remoteAddress
+					});
+
+					const configuredHost = master.env?.server?.hostname;
+					if (configuredHost && configuredHost !== 'localhost') {
+						const httpsPort = master.env?.server?.httpsPort || 443;
+						const port = httpsPort === 443 ? '' : `:${httpsPort}`;
+						const httpsUrl = `https://${configuredHost}${port}${ctx.request.url}`;
+
+						ctx.response.statusCode = 301;
+						ctx.response.setHeader('Location', httpsUrl);
+						ctx.response.end();
+						return; // Don't call next()
+					}
+				}
+			}
+
+			// 2. CSRF Protection (POST, PUT, DELETE, PATCH)
+			if (config.csrf && ['post', 'put', 'delete', 'patch'].includes(ctx.type)) {
+				// Check if path is excluded
+				const isExcluded = config.csrfExcludePaths.some(excludePath => {
+					return ctx.pathName.startsWith(excludePath.replace(/^\//, ''));
+				});
+
+				if (!isExcluded) {
+					const token = ctx.request.headers['x-csrf-token'] ||
+					             ctx.params?.formData?._csrf ||
+					             ctx.params?.query?._csrf;
+
+					if (!token) {
+						logger.warn({
+							code: 'MC_SECURITY_CSRF_MISSING',
+							message: 'CSRF token missing',
+							path: ctx.pathName,
+							method: ctx.type,
+							ip: ctx.request.connection.remoteAddress
+						});
+
+						ctx.response.statusCode = 403;
+						ctx.response.setHeader('Content-Type', 'application/json');
+						ctx.response.end(JSON.stringify({
+							error: 'CSRF token required',
+							message: 'Include X-CSRF-Token header or _csrf field in request'
+						}));
+						return; // Don't call next()
+					}
+
+					const validation = validateCSRFToken(token);
+					if (!validation.valid) {
+						logger.warn({
+							code: 'MC_SECURITY_CSRF_INVALID',
+							message: 'CSRF token validation failed',
+							path: ctx.pathName,
+							reason: validation.reason,
+							ip: ctx.request.connection.remoteAddress
+						});
+
+						ctx.response.statusCode = 403;
+						ctx.response.setHeader('Content-Type', 'application/json');
+						ctx.response.end(JSON.stringify({
+							error: 'Invalid CSRF token',
+							message: validation.reason
+						}));
+						return; // Don't call next()
+					}
+				}
+			}
+
+			// 3. Input Sanitization (All methods)
+			if (config.sanitizeInputs && ctx.params) {
+				try {
+					// Sanitize all input objects
+					if (ctx.params.formData) {
+						ctx.params.formData = SecurityEnforcement._sanitizeInputs(ctx.params.formData);
+					}
+					if (ctx.params.query) {
+						ctx.params.query = SecurityEnforcement._sanitizeInputs(ctx.params.query);
+					}
+					if (ctx.params.body) {
+						ctx.params.body = SecurityEnforcement._sanitizeInputs(ctx.params.body);
+					}
+
+					logger.debug({
+						code: 'MC_SECURITY_SANITIZED',
+						message: 'Inputs sanitized',
+						path: ctx.pathName
+					});
+				} catch (error) {
+					logger.error({
+						code: 'MC_SECURITY_SANITIZE_ERROR',
+						message: 'Failed to sanitize inputs',
+						error: error.message,
+						path: ctx.pathName
+					});
+				}
+			}
+
+			// 4. Security Headers
+			SecurityEnforcement._applySecurityHeaders(ctx.response);
+
+			// Continue to next middleware
+			await next();
+		};
+	}
+
+	/**
+	 * Check if request is secure (HTTPS)
+	 */
+	static _isSecure(req) {
+		return req.connection.encrypted ||
+		       req.headers['x-forwarded-proto'] === 'https';
+	}
+
+	/**
+	 * Sanitize user inputs recursively
+	 */
+	static _sanitizeInputs(obj) {
+		if (typeof obj !== 'object' || obj === null) {
+			return obj;
+		}
+
+		// Handle arrays
+		if (Array.isArray(obj)) {
+			return obj.map(item => SecurityEnforcement._sanitizeInputs(item));
+		}
+
+		// Handle objects
+		const sanitized = {};
+		for (const [key, value] of Object.entries(obj)) {
+			if (typeof value === 'string') {
+				// Sanitize HTML in string values
+				sanitized[key] = sanitizeUserHTML(value);
+			} else if (typeof value === 'object' && value !== null) {
+				// Recursively sanitize nested objects
+				sanitized[key] = SecurityEnforcement._sanitizeInputs(value);
+			} else {
+				// Keep other types as-is
+				sanitized[key] = value;
+			}
+		}
+
+		return sanitized;
+	}
+
+	/**
+	 * Apply security headers to response
+	 */
+	static _applySecurityHeaders(response) {
+		if (response.headersSent || response._headerSent) {
+			return;
+		}
+
+		// XSS Protection
+		response.setHeader('X-XSS-Protection', '1; mode=block');
+
+		// Clickjacking Protection
+		response.setHeader('X-Frame-Options', 'SAMEORIGIN');
+
+		// MIME Sniffing Protection
+		response.setHeader('X-Content-Type-Options', 'nosniff');
+
+		// Referrer Policy
+		response.setHeader('Referrer-Policy', 'strict-origin-when-cross-origin');
+
+		// Content Security Policy (basic)
+		response.setHeader('Content-Security-Policy', "default-src 'self'");
+
+		// Feature Policy / Permissions Policy
+		response.setHeader('Permissions-Policy', 'geolocation=(), microphone=(), camera=()');
+	}
+}
+
+// Export for use in config
+module.exports = SecurityEnforcement;
+
+// Also extend master object
+master.extend('securityEnforcement', SecurityEnforcement);

package/security/SessionSecurity.js

@@ -501,11 +501,12 @@ class MasterSessionSecurity {
   }
 }
 
-// Auto-register with MasterController
-master.extend("session", MasterSessionSecurity);
+// Note: Auto-registration with MasterController happens in init() to avoid circular dependency
+// This is called when master.session.init() is invoked in config.js
 
 module.exports = {
   SessionSecurity,
+  MasterSessionSecurity,
   session,
   createSessionMiddleware,
   destroySession,