securenow 4.0.2 → 4.0.5

package/nextjs-middleware.js

@@ -0,0 +1,178 @@
+/**
+ * SecureNow Next.js Middleware for Body Capture
+ * 
+ * OPTIONAL: Import this in your Next.js app to enable automatic body capture
+ * 
+ * Usage:
+ * 
+ * Create middleware.ts in your Next.js app root:
+ * 
+ * export { middleware } from 'securenow/nextjs-middleware';
+ * export const config = {
+ *   matcher: '/api/:path*',  // Apply to API routes only
+ * };
+ * 
+ * That's it! Bodies are now captured with sensitive data redacted.
+ */
+
+const { trace, context, SpanStatusCode } = require('@opentelemetry/api');
+
+// Default sensitive fields to redact
+const DEFAULT_SENSITIVE_FIELDS = [
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
+];
+
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  
+  for (const key in redacted) {
+    const lowerKey = key.toLowerCase();
+    
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    }
+  }
+  
+  return redacted;
+}
+
+/**
+ * Redact sensitive data from GraphQL query strings
+ */
+function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!query || typeof query !== 'string') return query;
+  
+  let redacted = query;
+  
+  sensitiveFields.forEach(field => {
+    const patterns = [
+      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+    ];
+    
+    patterns.forEach(pattern => {
+      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
+        return suffix ? `${prefix}[REDACTED]${suffix}` : `${prefix}[REDACTED]`;
+      });
+    });
+  });
+  
+  return redacted;
+}
+
+/**
+ * Next.js Middleware for Body Capture
+ */
+async function middleware(request) {
+  const { NextResponse } = require('next/server');
+  
+  // Only capture for POST/PUT/PATCH
+  if (!['POST', 'PUT', 'PATCH'].includes(request.method)) {
+    return NextResponse.next();
+  }
+  
+  // Get or create a tracer
+  const tracer = trace.getTracer('securenow-middleware');
+  let span = trace.getActiveSpan();
+  let createdSpan = false;
+  
+  // If no active span, create one for this middleware
+  if (!span) {
+    const url = new URL(request.url);
+    span = tracer.startSpan(`middleware ${request.method} ${url.pathname}`);
+    createdSpan = true;
+  }
+  
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    const maxBodySize = parseInt(process.env.SECURENOW_MAX_BODY_SIZE || '10240');
+    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    
+    // Only capture supported types
+    if (contentType.includes('application/json') || 
+        contentType.includes('application/graphql')) {
+      
+      // Clone the request to read body without consuming the original
+      const clonedRequest = request.clone();
+      const bodyText = await clonedRequest.text();
+      
+      if (bodyText.length <= maxBodySize) {
+        let redactedBody;
+        
+        if (contentType.includes('application/graphql')) {
+          // GraphQL: redact query string
+          redactedBody = redactGraphQLQuery(bodyText, allSensitiveFields);
+        } else {
+          // JSON: parse and redact
+          try {
+            const parsed = JSON.parse(bodyText);
+            const redacted = redactSensitiveData(parsed, allSensitiveFields);
+            redactedBody = JSON.stringify(redacted);
+          } catch (e) {
+            redactedBody = bodyText; // Keep as-is if parse fails
+          }
+        }
+        
+        span.setAttributes({
+          'http.request.body': redactedBody.substring(0, maxBodySize),
+          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
+          'http.request.body.size': bodyText.length,
+        });
+      } else {
+        span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
+      }
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      const clonedRequest = request.clone();
+      const formData = await clonedRequest.formData();
+      const parsed = Object.fromEntries(formData);
+      const redacted = redactSensitiveData(parsed, allSensitiveFields);
+      
+      span.setAttributes({
+        'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+        'http.request.body.type': 'form',
+        'http.request.body.size': JSON.stringify(parsed).length,
+      });
+    } else if (contentType.includes('multipart/form-data')) {
+      span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
+      span.setAttribute('http.request.body.type', 'multipart');
+    }
+    
+    // End span if we created it
+    if (createdSpan) {
+      span.setStatus({ code: SpanStatusCode.OK });
+      span.end();
+    }
+  } catch (error) {
+    // Silently fail - don't break the request
+    console.debug('[securenow] Body capture failed:', error.message);
+    
+    // End span with error if we created it
+    if (createdSpan && span) {
+      span.setStatus({ 
+        code: SpanStatusCode.ERROR,
+        message: error.message 
+      });
+      span.end();
+    }
+  }
+  
+  return NextResponse.next();
+}
+
+module.exports = {
+  middleware,
+  redactSensitiveData,
+  redactGraphQLQuery,
+  DEFAULT_SENSITIVE_FIELDS,
+};
+

package/nextjs-wrapper.js

@@ -0,0 +1,155 @@
+/**
+ * SecureNow Next.js API Route Wrapper for Body Capture
+ * 
+ * This approach is NON-INVASIVE and runs INSIDE your handler,
+ * so it never blocks or interferes with middleware or routing.
+ * 
+ * Usage:
+ * 
+ * import { withSecureNow } from 'securenow/nextjs-wrapper';
+ * 
+ * export const POST = withSecureNow(async (request) => {
+ *   // Your handler code - request.body is available as parsed JSON
+ *   const data = await request.json();
+ *   return Response.json({ success: true });
+ * });
+ */
+
+const { trace } = require('@opentelemetry/api');
+
+// Default sensitive fields to redact
+const DEFAULT_SENSITIVE_FIELDS = [
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
+];
+
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  
+  for (const key in redacted) {
+    const lowerKey = key.toLowerCase();
+    
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    }
+  }
+  
+  return redacted;
+}
+
+/**
+ * Capture body from Request object (clone to avoid consuming)
+ */
+async function captureRequestBody(request) {
+  const captureBody = String(process.env.SECURENOW_CAPTURE_BODY) === '1' || 
+                      String(process.env.SECURENOW_CAPTURE_BODY).toLowerCase() === 'true';
+  
+  if (!captureBody) return;
+  if (!['POST', 'PUT', 'PATCH'].includes(request.method)) return;
+  
+  const span = trace.getActiveSpan();
+  if (!span) return;
+  
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    const maxBodySize = parseInt(process.env.SECURENOW_MAX_BODY_SIZE || '10240');
+    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    
+    // Only for supported types
+    if (!contentType.includes('application/json') && 
+        !contentType.includes('application/graphql') &&
+        !contentType.includes('application/x-www-form-urlencoded')) {
+      return;
+    }
+    
+    // Clone to avoid consuming the original
+    const cloned = request.clone();
+    const bodyText = await cloned.text();
+    
+    if (bodyText.length > maxBodySize) {
+      span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
+      span.setAttribute('http.request.body.size', bodyText.length);
+      return;
+    }
+    
+    // Parse and redact based on type
+    let redacted;
+    if (contentType.includes('application/json') || contentType.includes('application/graphql')) {
+      try {
+        const parsed = JSON.parse(bodyText);
+        redacted = redactSensitiveData(parsed, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
+          'http.request.body.size': bodyText.length,
+        });
+      } catch (e) {
+        span.setAttribute('http.request.body', '[INVALID JSON]');
+      }
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      const params = new URLSearchParams(bodyText);
+      const parsed = Object.fromEntries(params);
+      redacted = redactSensitiveData(parsed, allSensitiveFields);
+      span.setAttributes({
+        'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+        'http.request.body.type': 'form',
+        'http.request.body.size': bodyText.length,
+      });
+    }
+  } catch (error) {
+    // Silently fail - never block the request
+  }
+}
+
+/**
+ * Wrap a Next.js API route handler to capture body
+ * This is OPTIONAL and NON-INVASIVE - only use on routes where you want body capture
+ */
+function withSecureNow(handler) {
+  return async function wrappedHandler(request, context) {
+    // Capture body asynchronously (doesn't block handler)
+    captureRequestBody(request).catch(() => {
+      // Ignore errors silently
+    });
+    
+    // Call original handler immediately - no blocking!
+    return handler(request, context);
+  };
+}
+
+/**
+ * Alternative: Auto-capture wrapper that tries to capture AFTER handler runs
+ * This is even safer as it never interferes with the handler logic
+ */
+function withSecureNowAsync(handler) {
+  return async function wrappedHandler(request, context) {
+    // Try to capture body in background (non-blocking)
+    const capturePromise = captureRequestBody(request);
+    
+    // Run handler
+    const response = await handler(request, context);
+    
+    // Wait for capture to finish (but don't fail if it doesn't)
+    await capturePromise.catch(() => {});
+    
+    return response;
+  };
+}
+
+module.exports = {
+  withSecureNow,
+  withSecureNowAsync,
+  captureRequestBody,
+  redactSensitiveData,
+  DEFAULT_SENSITIVE_FIELDS,
+};
+

package/nextjs.js

@@ -25,6 +25,176 @@ const env = k => process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k
 
 let isRegistered = false;
 
+// Default sensitive fields to redact from request bodies
+const DEFAULT_SENSITIVE_FIELDS = [
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
+];
+
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  
+  for (const key in redacted) {
+    const lowerKey = key.toLowerCase();
+    
+    // Check if field is sensitive
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      // Recursively redact nested objects
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    }
+  }
+  
+  return redacted;
+}
+
+/**
+ * Redact sensitive data from GraphQL query strings
+ */
+function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!query || typeof query !== 'string') return query;
+  
+  let redacted = query;
+  
+  // Redact sensitive fields in GraphQL arguments and variables
+  // Matches patterns like: password: "value" or password:"value" or password:'value'
+  sensitiveFields.forEach(field => {
+    // Match field: "value" or field: 'value' or field:"value" (with optional spaces)
+    const patterns = [
+      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+    ];
+    
+    patterns.forEach(pattern => {
+      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
+        if (suffix) {
+          return `${prefix}[REDACTED]${suffix}`;
+        } else {
+          return `${prefix}[REDACTED]`;
+        }
+      });
+    });
+  });
+  
+  return redacted;
+}
+
+/**
+ * Parse and capture request body safely
+ */
+async function captureRequestBody(request, maxSize = 10240) {
+  try {
+    const contentType = request.headers['content-type'] || '';
+    let body = '';
+    
+    // Collect body chunks
+    const chunks = [];
+    let size = 0;
+    
+    return new Promise((resolve) => {
+      request.on('data', (chunk) => {
+        size += chunk.length;
+        if (size <= maxSize) {
+          chunks.push(chunk);
+        }
+      });
+      
+      request.on('end', () => {
+        if (size > maxSize) {
+          resolve({ 
+            captured: false, 
+            reason: `Body too large (${size} bytes > ${maxSize} bytes)`,
+            size 
+          });
+          return;
+        }
+        
+        body = Buffer.concat(chunks).toString('utf8');
+        
+        // Parse based on content type
+        if (contentType.includes('application/json')) {
+          try {
+            const parsed = JSON.parse(body);
+            resolve({ 
+              captured: true, 
+              type: 'json', 
+              body: parsed,
+              size 
+            });
+          } catch (e) {
+            resolve({ 
+              captured: true, 
+              type: 'json', 
+              body: body.substring(0, 1000),
+              parseError: true,
+              size 
+            });
+          }
+        } else if (contentType.includes('application/graphql')) {
+          // GraphQL queries need redaction too!
+          resolve({ 
+            captured: true, 
+            type: 'graphql', 
+            body: body,  // Will be redacted later
+            size 
+          });
+        } else if (contentType.includes('multipart/form-data')) {
+          // Multipart is NOT captured (files can be huge)
+          resolve({ 
+            captured: false, 
+            type: 'multipart', 
+            reason: 'Multipart data not captured (file uploads)',
+            size 
+          });
+        } else if (contentType.includes('application/x-www-form-urlencoded')) {
+          try {
+            const params = new URLSearchParams(body);
+            const parsed = Object.fromEntries(params);
+            resolve({ 
+              captured: true, 
+              type: 'form', 
+              body: parsed,
+              size 
+            });
+          } catch (e) {
+            resolve({ 
+              captured: true, 
+              type: 'form', 
+              body: body.substring(0, 1000),
+              size 
+            });
+          }
+        } else {
+          resolve({ 
+            captured: true, 
+            type: 'text', 
+            body: body.substring(0, 1000),
+            size 
+          });
+        }
+      });
+      
+      request.on('error', () => {
+        resolve({ captured: false, reason: 'Stream error' });
+      });
+      
+      // Timeout after 100ms
+      setTimeout(() => {
+        resolve({ captured: false, reason: 'Timeout' });
+      }, 100);
+    });
+  } catch (error) {
+    return { captured: false, reason: error.message };
+  }
+}
+
 /**
  * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
  * @param {Object} options - Optional configuration
@@ -86,6 +256,14 @@ function registerSecureNow(options = {}) {
 
     console.log('[securenow] 🚀 Next.js App → service.name=%s', serviceName);
 
+    // -------- Body Capture Configuration --------
+    const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' || 
+                       String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true' ||
+                       options.captureBody === true;
+    const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB default
+    const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+
     // -------- Use @vercel/otel with enhanced configuration --------
     const { registerOTel } = require('@vercel/otel');
     const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
@@ -98,11 +276,18 @@ function registerSecureNow(options = {}) {
         'vercel.region': process.env.VERCEL_REGION || undefined,
       },
       instrumentations: [
-        // Add HTTP instrumentation with request hooks to capture IP and headers
+        // Add HTTP instrumentation with request hooks to capture IP, headers
+        // NOTE: Body capture is DISABLED at this level for Next.js to prevent conflicts
         new HttpInstrumentation({
           requireParentforOutgoingSpans: false,
           requireParentforIncomingSpans: false,
+          // Ignore request/response bodies to prevent Next.js conflicts
+          ignoreIncomingRequestHook: (request) => {
+            // Never ignore - we want to trace all requests
+            return false;
+          },
           requestHook: (span, request) => {
+            // SYNCHRONOUS ONLY - no async operations to avoid timing issues
             try {
               // Capture client IP from various headers
               const headers = request.headers || {};
@@ -116,7 +301,7 @@ function registerSecureNow(options = {}) {
                 request.socket?.remoteAddress ||
                 'unknown';
               
-              // Add IP and request metadata to span
+              // Add IP and request metadata to span (synchronously)
               span.setAttributes({
                 'http.client_ip': clientIp,
                 'http.user_agent': headers['user-agent'] || 'unknown',
@@ -140,21 +325,21 @@ function registerSecureNow(options = {}) {
               if (headers['cf-ipcountry']) {
                 span.setAttribute('http.geo.country', headers['cf-ipcountry']);
               }
+
+              // -------- Request Body NOT captured at HTTP instrumentation level --------
+              // IMPORTANT: Do NOT attempt to read request.body or listen to 'data' events
+              // Next.js manages request streams internally and reading them here causes:
+              // - "Response body object should not be disturbed or locked" errors
+              // - Hanging requests that never complete
+              // - Body data unavailable to Next.js route handlers
+              //
+              // Body capture must be done in Next.js middleware using request.clone()
+              
             } catch (error) {
               // Silently fail to not break the request
-              console.debug('[securenow] Failed to capture request metadata:', error.message);
-            }
-          },
-          responseHook: (span, response) => {
-            try {
-              // Add response metadata
-              if (response.statusCode) {
-                span.setAttribute('http.status_code', response.statusCode);
-              }
-            } catch (error) {
-              console.debug('[securenow] Failed to capture response metadata:', error.message);
+              // Do not log in production to avoid noise
             }
-          },
+          }
         }),
       ],
       instrumentationConfig: {
@@ -180,6 +365,11 @@ function registerSecureNow(options = {}) {
     isRegistered = true;
     console.log('[securenow] ✅ OpenTelemetry started for Next.js → %s', tracesUrl);
     console.log('[securenow] 📊 Auto-capturing: IP, User-Agent, Headers, Geographic data');
+    console.log('[securenow] ⚠️  Body capture DISABLED at HTTP instrumentation level (prevents Next.js conflicts)');
+    if (captureBody) {
+      console.log('[securenow] 💡 SECURENOW_CAPTURE_BODY is set but has no effect in Next.js HTTP instrumentation');
+      console.log('[securenow] 💡 Body capture must be implemented differently for Next.js (coming soon)');
+    }
 
     // Optional test span
     if (String(env('SECURENOW_TEST_SPAN')) === '1') {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "4.0.2",
+  "version": "4.0.5",
   "description": "OpenTelemetry instrumentation for Node.js and Next.js - Send traces to SigNoz or any OTLP backend",
   "type": "commonjs",
   "main": "register.js",
@@ -33,6 +33,9 @@
     "./register": "./register.js",
     "./tracing": "./tracing.js",
     "./nextjs": "./nextjs.js",
+    "./nextjs-auto-capture": "./nextjs-auto-capture.js",
+    "./nextjs-middleware": "./nextjs-middleware.js",
+    "./nextjs-wrapper": "./nextjs-wrapper.js",
     "./nextjs-webpack-config": "./nextjs-webpack-config.js",
     "./register-vite": "./register-vite.js",
     "./web-vite": {
@@ -44,6 +47,9 @@
     "register.js",
     "tracing.js",
     "nextjs.js",
+    "nextjs-auto-capture.js",
+    "nextjs-middleware.js",
+    "nextjs-wrapper.js",
     "cli.js",
     "postinstall.js",
     "register-vite.js",
@@ -54,7 +60,19 @@
     "NEXTJS-QUICKSTART.md",
     "CUSTOMER-GUIDE.md",
     "AUTO-SETUP.md",
-    "AUTOMATIC-IP-CAPTURE.md"
+    "AUTOMATIC-IP-CAPTURE.md",
+    "REQUEST-BODY-CAPTURE.md",
+    "BODY-CAPTURE-QUICKSTART.md",
+    "REDACTION-EXAMPLES.md",
+    "NEXTJS-BODY-CAPTURE.md",
+    "NEXTJS-BODY-CAPTURE-COMPARISON.md",
+    "NEXTJS-WRAPPER-APPROACH.md",
+    "QUICKSTART-BODY-CAPTURE.md",
+    "AUTO-BODY-CAPTURE.md",
+    "EASIEST-SETUP.md",
+    "SOLUTION-SUMMARY.md",
+    "BODY-CAPTURE-FIX.md",
+    "FINAL-SOLUTION.md"
   ],
   "dependencies": {
     "@opentelemetry/api": "1.7.0",