npm - mastercontroller - Versions diffs - 1.3.1 → 1.3.3 - Mend

mastercontroller 1.3.1 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

package/.claude/settings.local.json +6 -1
package/MasterAction.js +158 -27
package/MasterActionFilters.js +213 -93
package/MasterControl.js +289 -43
package/MasterCors.js +1 -2
package/MasterHtml.js +243 -145
package/MasterPipeline.js +2 -3
package/MasterRequest.js +203 -26
package/MasterRouter.js +1 -2
package/MasterSocket.js +7 -3
package/MasterTemp.js +1 -2
package/MasterTimeout.js +2 -4
package/MasterTools.js +388 -0
package/README.md +2288 -369
package/TemplateOverwrite.js +1 -1
package/docs/SECURITY-AUDIT-ACTION-SYSTEM.md +1374 -0
package/docs/SECURITY-AUDIT-HTTPS.md +1056 -0
package/docs/SECURITY-QUICKSTART.md +375 -0
package/docs/timeout-and-error-handling.md +8 -6
package/error/MasterError.js +1 -2
package/error/MasterErrorRenderer.js +1 -2
package/package.json +1 -1
package/security/SecurityEnforcement.js +241 -0
package/security/SessionSecurity.js +6 -5
package/test/security/filters.test.js +276 -0
package/test/security/https.test.js +214 -0
package/test/security/path-traversal.test.js +222 -0
package/test/security/xss.test.js +190 -0
package/MasterSession.js +0 -208
package/docs/server-setup-hostname-binding.md +0 -24
package/docs/server-setup-http.md +0 -32
package/docs/server-setup-https-credentials.md +0 -32
package/docs/server-setup-https-env-tls-sni.md +0 -62
package/docs/server-setup-nginx-reverse-proxy.md +0 -46

package/security/SessionSecurity.js CHANGED Viewed

@@ -407,9 +407,6 @@ const SESSION_BEST_PRACTICES = {
   }
 };
-// MasterController Integration
-const master = require('../MasterControl');
 // Create MasterController-compatible wrapper
 class MasterSessionSecurity {
   constructor() {
@@ -425,6 +422,9 @@ class MasterSessionSecurity {
     this._options = options;
     this._instance = new SessionSecurity(options);
+    // Lazy load master to avoid circular dependency
+    const master = require('../MasterControl');
     // Auto-register with pipeline if available
     if (master.pipeline) {
       master.pipeline.use(this._instance.middleware());
@@ -501,11 +501,12 @@ class MasterSessionSecurity {
   }
 }
-// Auto-register with MasterController
-master.extend("session", MasterSessionSecurity);
+// Note: Auto-registration with MasterController happens in init() to avoid circular dependency
+// This is called when master.session.init() is invoked in config.js
 module.exports = {
   SessionSecurity,
+  MasterSessionSecurity,
   session,
   createSessionMiddleware,
   destroySession,

package/test/security/filters.test.js ADDED Viewed

@@ -0,0 +1,276 @@
+// Action Filter Tests for MasterActionFilters.js
+const master = require('../../MasterControl');
+require('../../MasterActionFilters');
+describe('Action Filters - Fixed Architecture', () => {
+	class TestController {
+		constructor() {
+			this.__namespace = 'test';
+			this._beforeActionFilters = [];
+			this._afterActionFilters = [];
+			// Import methods from MasterActionFilters
+			Object.assign(this, master.controllerExtensions);
+		}
+	}
+	describe('Multiple Filters Support', () => {
+		test('should support multiple beforeAction filters', () => {
+			const controller = new TestController();
+			controller.beforeAction(['show'], () => console.log('Filter 1'));
+			controller.beforeAction(['show'], () => console.log('Filter 2'));
+			controller.beforeAction(['edit'], () => console.log('Filter 3'));
+			// Should have 3 filters
+			expect(controller._beforeActionFilters).toHaveLength(3);
+		});
+		test('should not overwrite previous filters', () => {
+			const controller = new TestController();
+			controller.beforeAction(['show'], () => 'first');
+			controller.beforeAction(['show'], () => 'second');
+			// Both filters should exist
+			expect(controller._beforeActionFilters[0].callBack()).toBe('first');
+			expect(controller._beforeActionFilters[1].callBack()).toBe('second');
+		});
+		test('should support multiple afterAction filters', () => {
+			const controller = new TestController();
+			controller.afterAction(['index'], () => {});
+			controller.afterAction(['index'], () => {});
+			expect(controller._afterActionFilters).toHaveLength(2);
+		});
+	});
+	describe('Instance-Level Filters (Not Global)', () => {
+		test('should not share filters between controllers', () => {
+			const controller1 = new TestController();
+			const controller2 = new TestController();
+			controller1.__namespace = 'users';
+			controller2.__namespace = 'posts';
+			controller1.beforeAction(['show'], () => 'users filter');
+			controller2.beforeAction(['index'], () => 'posts filter');
+			// Each controller has independent filters
+			expect(controller1._beforeActionFilters).toHaveLength(1);
+			expect(controller2._beforeActionFilters).toHaveLength(1);
+			expect(controller1._beforeActionFilters[0].namespace).toBe('users');
+			expect(controller2._beforeActionFilters[0].namespace).toBe('posts');
+		});
+		test('should not have race conditions between requests', () => {
+			// Simulate two concurrent requests
+			const request1Controller = new TestController();
+			const request2Controller = new TestController();
+			request1Controller.__namespace = 'users';
+			request2Controller.__namespace = 'admin';
+			request1Controller.beforeAction(['show'], () => 'request 1');
+			request2Controller.beforeAction(['dashboard'], () => 'request 2');
+			// Each request has its own filter state
+			expect(request1Controller._beforeActionFilters[0].callBack()).toBe('request 1');
+			expect(request2Controller._beforeActionFilters[0].callBack()).toBe('request 2');
+		});
+	});
+	describe('Filter Execution', () => {
+		test('should execute all matching filters in order', async () => {
+			const controller = new TestController();
+			const executionOrder = [];
+			controller.beforeAction(['show'], () => executionOrder.push('first'));
+			controller.beforeAction(['show'], () => executionOrder.push('second'));
+			controller.beforeAction(['show'], () => executionOrder.push('third'));
+			const request = {
+				toAction: 'show',
+				response: { _headerSent: false, headersSent: false }
+			};
+			await controller.__callBeforeAction(controller, request, null);
+			expect(executionOrder).toEqual(['first', 'second', 'third']);
+		});
+		test('should only execute filters for matching actions', async () => {
+			const controller = new TestController();
+			const executed = [];
+			controller.beforeAction(['show'], () => executed.push('show'));
+			controller.beforeAction(['edit'], () => executed.push('edit'));
+			controller.beforeAction(['destroy'], () => executed.push('destroy'));
+			const request = {
+				toAction: 'show',
+				response: { _headerSent: false, headersSent: false }
+			};
+			await controller.__callBeforeAction(controller, request, null);
+			expect(executed).toEqual(['show']);
+		});
+	});
+	describe('Async Support', () => {
+		test('should support async filters', async () => {
+			const controller = new TestController();
+			let asyncCompleted = false;
+			controller.beforeAction(['index'], async () => {
+				await new Promise(resolve => setTimeout(resolve, 10));
+				asyncCompleted = true;
+			});
+			const request = {
+				toAction: 'index',
+				response: { _headerSent: false, headersSent: false }
+			};
+			await controller.__callBeforeAction(controller, request, null);
+			expect(asyncCompleted).toBe(true);
+		});
+		test('should await each filter before continuing', async () => {
+			const controller = new TestController();
+			const order = [];
+			controller.beforeAction(['index'], async () => {
+				order.push('start-1');
+				await new Promise(resolve => setTimeout(resolve, 20));
+				order.push('end-1');
+			});
+			controller.beforeAction(['index'], async () => {
+				order.push('start-2');
+				await new Promise(resolve => setTimeout(resolve, 10));
+				order.push('end-2');
+			});
+			const request = {
+				toAction: 'index',
+				response: { _headerSent: false, headersSent: false }
+			};
+			await controller.__callBeforeAction(controller, request, null);
+			// Should execute in order, awaiting each
+			expect(order).toEqual(['start-1', 'end-1', 'start-2', 'end-2']);
+		});
+	});
+	describe('Error Handling', () => {
+		test('should catch and log filter errors', async () => {
+			const controller = new TestController();
+			controller.beforeAction(['index'], () => {
+				throw new Error('Filter error');
+			});
+			const request = {
+				toAction: 'index',
+				response: {
+					_headerSent: false,
+					headersSent: false,
+					writeHead: jest.fn(),
+					end: jest.fn()
+				}
+			};
+			await expect(
+				controller.__callBeforeAction(controller, request, null)
+			).rejects.toThrow('Filter error');
+			// Should send error response
+			expect(request.response.writeHead).toHaveBeenCalledWith(500, expect.any(Object));
+		});
+		test('should stop filter chain on error', async () => {
+			const controller = new TestController();
+			const executed = [];
+			controller.beforeAction(['index'], () => {
+				executed.push('first');
+				throw new Error('Stop here');
+			});
+			controller.beforeAction(['index'], () => {
+				executed.push('second'); // Should not execute
+			});
+			const request = {
+				toAction: 'index',
+				response: {
+					_headerSent: false,
+					headersSent: false,
+					writeHead: jest.fn(),
+					end: jest.fn()
+				}
+			};
+			try {
+				await controller.__callBeforeAction(controller, request, null);
+			} catch (e) {}
+			expect(executed).toEqual(['first']);
+		});
+	});
+	describe('Timeout Protection', () => {
+		test('should timeout slow filters', async () => {
+			const controller = new TestController();
+			controller.beforeAction(['index'], async () => {
+				// Simulate slow operation (6 seconds, timeout is 5 seconds)
+				await new Promise(resolve => setTimeout(resolve, 6000));
+			});
+			const request = {
+				toAction: 'index',
+				response: {
+					_headerSent: false,
+					headersSent: false,
+					writeHead: jest.fn(),
+					end: jest.fn()
+				}
+			};
+			await expect(
+				controller.__callBeforeAction(controller, request, null)
+			).rejects.toThrow(/timeout/i);
+		}, 10000); // Increase test timeout
+	});
+	describe('Variable Shadowing Fix', () => {
+		test('should not have variable shadowing bugs', async () => {
+			const controller = new TestController();
+			const actions = ['show', 'edit', 'destroy'];
+			// This used to cause bugs due to variable shadowing
+			controller.beforeAction(actions, (req) => {
+				// Action list should be properly iterated
+			});
+			const request = {
+				toAction: 'edit',
+				response: { _headerSent: false, headersSent: false }
+			};
+			// Should execute without errors
+			await expect(
+				controller.__callBeforeAction(controller, request, null)
+			).resolves.not.toThrow();
+		});
+	});
+});

package/test/security/https.test.js ADDED Viewed

@@ -0,0 +1,214 @@
+// HTTPS and Open Redirect Protection Tests
+const master = require('../../MasterControl');
+require('../../MasterAction');
+describe('HTTPS and Open Redirect Protection', () => {
+	class MockController {
+		constructor() {
+			Object.assign(this, master.controllerExtensions);
+			this.__requestObject = {
+				request: {
+					connection: {},
+					headers: {}
+				},
+				response: {
+					_headerSent: false,
+					headersSent: false,
+					writeHead: jest.fn(),
+					end: jest.fn(),
+					setHeader: jest.fn()
+				},
+				pathName: '/login'
+			};
+		}
+		redirectTo(url) {
+			this.__requestObject.response.writeHead(302, { 'Location': url });
+			this.__requestObject.response.end();
+		}
+		returnError(code, message) {
+			this.__requestObject.response.writeHead(code, { 'Content-Type': 'application/json' });
+			this.__requestObject.response.end(JSON.stringify({ error: message }));
+		}
+	}
+	describe('requireHTTPS() - Open Redirect Fix', () => {
+		beforeEach(() => {
+			// Setup test environment
+			master.env = master.env || {};
+			master.env.server = {
+				hostname: 'example.com',
+				httpsPort: 443
+			};
+		});
+		test('should NOT use Host header from request', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			controller.__requestObject.request.headers.host = 'evil.com';
+			controller.requireHTTPS();
+			// Should redirect to configured host, NOT Host header
+			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+			expect(redirectCall).toBeTruthy();
+			expect(redirectCall[1].Location).toBe('https://example.com/login');
+			expect(redirectCall[1].Location).not.toContain('evil.com');
+		});
+		test('should use configured hostname', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			master.env.server.hostname = 'myapp.com';
+			controller.requireHTTPS();
+			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+			expect(redirectCall[1].Location).toBe('https://myapp.com/login');
+		});
+		test('should include port if not 443', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			master.env.server.hostname = 'example.com';
+			master.env.server.httpsPort = 8443;
+			controller.requireHTTPS();
+			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+			expect(redirectCall[1].Location).toBe('https://example.com:8443/login');
+		});
+		test('should return error if hostname not configured', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			master.env.server.hostname = 'localhost';
+			const result = controller.requireHTTPS();
+			expect(result).toBe(false);
+			expect(controller.__requestObject.response.writeHead).toHaveBeenCalledWith(500, expect.any(Object));
+		});
+		test('should allow request if already HTTPS', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = true;
+			const result = controller.requireHTTPS();
+			expect(result).toBe(true);
+			expect(controller.__requestObject.response.writeHead).not.toHaveBeenCalled();
+		});
+		test('should detect HTTPS from X-Forwarded-Proto header', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			controller.__requestObject.request.headers['x-forwarded-proto'] = 'https';
+			const result = controller.requireHTTPS();
+			expect(result).toBe(true);
+		});
+	});
+	describe('isSecure()', () => {
+		test('should return true for encrypted connection', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = true;
+			expect(controller.isSecure()).toBe(true);
+		});
+		test('should return true for X-Forwarded-Proto: https', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.headers['x-forwarded-proto'] = 'https';
+			expect(controller.isSecure()).toBe(true);
+		});
+		test('should return false for HTTP', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			controller.__requestObject.request.headers['x-forwarded-proto'] = 'http';
+			expect(controller.isSecure()).toBe(false);
+		});
+	});
+	describe('Real-World Attack Scenarios', () => {
+		beforeEach(() => {
+			master.env = master.env || {};
+			master.env.server = {
+				hostname: 'legitimate.com',
+				httpsPort: 443
+			};
+		});
+		test('should prevent phishing via Host header manipulation', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			// Attacker sets malicious Host header
+			controller.__requestObject.request.headers.host = 'phishing-site.com';
+			controller.__requestObject.pathName = '/login';
+			controller.requireHTTPS();
+			// Should redirect to legitimate site, not attacker's
+			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+			expect(redirectCall[1].Location).toBe('https://legitimate.com/login');
+			expect(redirectCall[1].Location).not.toContain('phishing-site.com');
+		});
+		test('should prevent redirect to external domain', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			// Attacker tries various Host header values
+			const maliciousHosts = [
+				'evil.com',
+				'attacker.net',
+				'phishing.org',
+				'legitimate.com.evil.com'
+			];
+			maliciousHosts.forEach(host => {
+				controller.__requestObject.request.headers.host = host;
+				controller.__requestObject.response.writeHead.mockClear();
+				controller.requireHTTPS();
+				const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+				const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+				expect(redirectCall[1].Location).toBe('https://legitimate.com/login');
+			});
+		});
+		test('should preserve original path in redirect', () => {
+			const controller = new MockController();
+			controller.__requestObject.request.connection.encrypted = false;
+			controller.__requestObject.pathName = '/admin/users/123';
+			controller.requireHTTPS();
+			const writeHeadCalls = controller.__requestObject.response.writeHead.mock.calls;
+			const redirectCall = writeHeadCalls.find(call => call[0] === 302);
+			expect(redirectCall[1].Location).toBe('https://legitimate.com/admin/users/123');
+		});
+	});
+});