securenow 5.10.2 → 5.11.1

package/nextjs-wrapper.js

@@ -1,158 +1,158 @@
-/**
- * SecureNow Next.js API Route Wrapper for Body Capture
- * 
- * This approach is NON-INVASIVE and runs INSIDE your handler,
- * so it never blocks or interferes with middleware or routing.
- * 
- * Usage:
- * 
- * import { withSecureNow } from 'securenow/nextjs-wrapper';
- * 
- * export const POST = withSecureNow(async (request) => {
- *   // Your handler code - request.body is available as parsed JSON
- *   const data = await request.json();
- *   return Response.json({ success: true });
- * });
- */
-
-const { trace } = require('@opentelemetry/api');
-
-// Default sensitive fields to redact
-const DEFAULT_SENSITIVE_FIELDS = [
-  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
-  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
-  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
-];
-
-/**
- * Redact sensitive fields from an object
- */
-function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!obj || typeof obj !== 'object') return obj;
-  
-  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  
-  for (const key of Object.keys(redacted)) {
-    const lowerKey = key.toLowerCase();
-    
-    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
-      redacted[key] = '[REDACTED]';
-    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
-      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
-    }
-  }
-  
-  return redacted;
-}
-
-/**
- * Capture body from Request object (clone to avoid consuming)
- */
-async function captureRequestBody(request) {
-  const captureBody = String(process.env.SECURENOW_CAPTURE_BODY) === '1' || 
-                      String(process.env.SECURENOW_CAPTURE_BODY).toLowerCase() === 'true';
-  
-  if (!captureBody) return;
-  if (!['POST', 'PUT', 'PATCH'].includes(request.method)) return;
-  
-  const span = trace.getActiveSpan();
-  if (!span) return;
-  
-  try {
-    const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = Math.max(1024, parseInt(process.env.SECURENOW_MAX_BODY_SIZE, 10) || 10240);
-    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
-    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
-    
-    // Only for supported types
-    if (!contentType.includes('application/json') && 
-        !contentType.includes('application/graphql') &&
-        !contentType.includes('application/x-www-form-urlencoded')) {
-      return;
-    }
-    
-    // Clone to avoid consuming the original
-    const cloned = request.clone();
-    const bodyText = await cloned.text();
-    
-    if (bodyText.length > maxBodySize) {
-      span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
-      span.setAttribute('http.request.body.size', bodyText.length);
-      return;
-    }
-    
-    // Parse and redact based on type
-    let redacted;
-    if (contentType.includes('application/json') || contentType.includes('application/graphql')) {
-      try {
-        const parsed = JSON.parse(bodyText);
-        redacted = redactSensitiveData(parsed, allSensitiveFields);
-        span.setAttributes({
-          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
-          'http.request.body.size': bodyText.length,
-        });
-      } catch (e) {
-        span.setAttribute('http.request.body', '[INVALID JSON]');
-      }
-    } else if (contentType.includes('application/x-www-form-urlencoded')) {
-      const params = new URLSearchParams(bodyText);
-      const parsed = Object.fromEntries(params);
-      redacted = redactSensitiveData(parsed, allSensitiveFields);
-      span.setAttributes({
-        'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-        'http.request.body.type': 'form',
-        'http.request.body.size': bodyText.length,
-      });
-    }
-  } catch (error) {
-    // Silently fail - never block the request
-  }
-}
-
-/**
- * Wrap a Next.js API route handler to capture body
- * This is OPTIONAL and NON-INVASIVE - only use on routes where you want body capture
- */
-function withSecureNow(handler) {
-  return async function wrappedHandler(request, context) {
-    // Capture body asynchronously (doesn't block handler)
-    captureRequestBody(request).catch(() => {
-      // Ignore errors silently
-    });
-    
-    // Call original handler immediately - no blocking!
-    return handler(request, context);
-  };
-}
-
-/**
- * Alternative: Auto-capture wrapper that tries to capture AFTER handler runs
- * This is even safer as it never interferes with the handler logic
- */
-function withSecureNowAsync(handler) {
-  return async function wrappedHandler(request, context) {
-    // Try to capture body in background (non-blocking)
-    const capturePromise = captureRequestBody(request);
-    
-    // Run handler
-    const response = await handler(request, context);
-    
-    // Wait for capture to finish (but don't fail if it doesn't)
-    await capturePromise.catch(() => {});
-    
-    return response;
-  };
-}
-
-module.exports = {
-  withSecureNow,
-  withSecureNowAsync,
-  captureRequestBody,
-  redactSensitiveData,
-  DEFAULT_SENSITIVE_FIELDS,
-};
-
-
-
-
+/**
+ * SecureNow Next.js API Route Wrapper for Body Capture
+ * 
+ * This approach is NON-INVASIVE and runs INSIDE your handler,
+ * so it never blocks or interferes with middleware or routing.
+ * 
+ * Usage:
+ * 
+ * import { withSecureNow } from 'securenow/nextjs-wrapper';
+ * 
+ * export const POST = withSecureNow(async (request) => {
+ *   // Your handler code - request.body is available as parsed JSON
+ *   const data = await request.json();
+ *   return Response.json({ success: true });
+ * });
+ */
+
+const { trace } = require('@opentelemetry/api');
+
+// Default sensitive fields to redact
+const DEFAULT_SENSITIVE_FIELDS = [
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
+];
+
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  
+  for (const key of Object.keys(redacted)) {
+    const lowerKey = key.toLowerCase();
+    
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    }
+  }
+  
+  return redacted;
+}
+
+/**
+ * Capture body from Request object (clone to avoid consuming)
+ */
+async function captureRequestBody(request) {
+  const captureBody = String(process.env.SECURENOW_CAPTURE_BODY) === '1' || 
+                      String(process.env.SECURENOW_CAPTURE_BODY).toLowerCase() === 'true';
+  
+  if (!captureBody) return;
+  if (!['POST', 'PUT', 'PATCH'].includes(request.method)) return;
+  
+  const span = trace.getActiveSpan();
+  if (!span) return;
+  
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    const maxBodySize = Math.max(1024, parseInt(process.env.SECURENOW_MAX_BODY_SIZE, 10) || 10240);
+    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    
+    // Only for supported types
+    if (!contentType.includes('application/json') && 
+        !contentType.includes('application/graphql') &&
+        !contentType.includes('application/x-www-form-urlencoded')) {
+      return;
+    }
+    
+    // Clone to avoid consuming the original
+    const cloned = request.clone();
+    const bodyText = await cloned.text();
+    
+    if (bodyText.length > maxBodySize) {
+      span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
+      span.setAttribute('http.request.body.size', bodyText.length);
+      return;
+    }
+    
+    // Parse and redact based on type
+    let redacted;
+    if (contentType.includes('application/json') || contentType.includes('application/graphql')) {
+      try {
+        const parsed = JSON.parse(bodyText);
+        redacted = redactSensitiveData(parsed, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
+          'http.request.body.size': bodyText.length,
+        });
+      } catch (e) {
+        span.setAttribute('http.request.body', '[INVALID JSON]');
+      }
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      const params = new URLSearchParams(bodyText);
+      const parsed = Object.fromEntries(params);
+      redacted = redactSensitiveData(parsed, allSensitiveFields);
+      span.setAttributes({
+        'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+        'http.request.body.type': 'form',
+        'http.request.body.size': bodyText.length,
+      });
+    }
+  } catch (error) {
+    // Silently fail - never block the request
+  }
+}
+
+/**
+ * Wrap a Next.js API route handler to capture body
+ * This is OPTIONAL and NON-INVASIVE - only use on routes where you want body capture
+ */
+function withSecureNow(handler) {
+  return async function wrappedHandler(request, context) {
+    // Capture body asynchronously (doesn't block handler)
+    captureRequestBody(request).catch(() => {
+      // Ignore errors silently
+    });
+    
+    // Call original handler immediately - no blocking!
+    return handler(request, context);
+  };
+}
+
+/**
+ * Alternative: Auto-capture wrapper that tries to capture AFTER handler runs
+ * This is even safer as it never interferes with the handler logic
+ */
+function withSecureNowAsync(handler) {
+  return async function wrappedHandler(request, context) {
+    // Try to capture body in background (non-blocking)
+    const capturePromise = captureRequestBody(request);
+    
+    // Run handler
+    const response = await handler(request, context);
+    
+    // Wait for capture to finish (but don't fail if it doesn't)
+    await capturePromise.catch(() => {});
+    
+    return response;
+  };
+}
+
+module.exports = {
+  withSecureNow,
+  withSecureNowAsync,
+  captureRequestBody,
+  redactSensitiveData,
+  DEFAULT_SENSITIVE_FIELDS,
+};
+
+
+
+

package/nextjs.js

@@ -521,8 +521,8 @@ function registerSecureNow(options = {}) {
           } catch (_) {}
 
           // Graceful shutdown for logs
-          process.on('SIGTERM', async () => { try { await loggerProvider.shutdown(); } catch (_) {} });
-          process.on('SIGINT', async () => { try { await loggerProvider.shutdown(); } catch (_) {} });
+          process.on('SIGTERM', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { require('./firewall').shutdown(); } catch (_) {} });
+          process.on('SIGINT', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { require('./firewall').shutdown(); } catch (_) {} });
         } catch (e) {
           console.warn('[securenow] ⚠️  Logging setup failed (missing @opentelemetry/exporter-logs-otlp-http or @opentelemetry/sdk-logs):', e.message);
         }
@@ -541,6 +541,26 @@ function registerSecureNow(options = {}) {
       }
     } catch (_) {}
 
+    // Firewall — auto-activates when SECURENOW_API_KEY is set
+    const firewallApiKey = env('SECURENOW_API_KEY');
+    if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+      try {
+        require('./firewall').init({
+          apiKey: firewallApiKey,
+          apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+          syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 60,
+          failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+          statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+          log: env('SECURENOW_FIREWALL_LOG') !== '0',
+          tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+          iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+          cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+        });
+      } catch (e) {
+        console.warn('[securenow] Firewall init failed:', e.message);
+      }
+    }
+
     console.log('[securenow] ✅ OpenTelemetry started for Next.js → %s', tracesUrl);
     console.log('[securenow] 📊 Auto-capturing comprehensive request metadata:');
     console.log('[securenow]    • IP addresses (x-forwarded-for, x-real-ip, socket)');