npm - securenow - Versions diffs - 5.11.1 → 5.12.0 - Mend

securenow 5.11.1 → 5.12.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/firewall.js CHANGED Viewed

@@ -8,11 +8,14 @@ const { resolveClientIp } = require('./resolve-ip');
 let _options = null;
 let _matcher = null;
 let _syncTimer = null;
+let _versionTimer = null;
 let _lastModified = null;
+let _lastVersion = null;
 let _initialized = false;
+let _consecutiveErrors = 0;
 let _layers = [];
 let _rawIps = [];
-let _stats = { syncs: 0, blocked: 0, allowed: 0 };
+let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0 };
 // ────── Blocklist Sync ──────
@@ -37,7 +40,9 @@ function syncBlocklist(callback) {
     timeout: 10000,
   };
-  if (_lastModified) {
+  if (_lastVersion) {
+    reqOptions.headers['If-None-Match'] = _lastVersion;
+  } else if (_lastModified) {
     reqOptions.headers['If-Modified-Since'] = _lastModified;
   }
@@ -60,6 +65,7 @@ function syncBlocklist(callback) {
         _rawIps = ips;
         _matcher = createMatcher(ips);
         _lastModified = res.headers['last-modified'] || null;
+        if (res.headers['etag']) _lastVersion = res.headers['etag'];
         _stats.syncs++;
         notifyLayers(ips);
         callback(null, true, _matcher.stats());
@@ -80,32 +86,117 @@ function notifyLayers(ips) {
   }
 }
-function startSyncLoop() {
-  const intervalMs = (_options.syncInterval || 60) * 1000;
+function checkVersion(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/blocklist/version');
+  const mod = url.startsWith('https') ? https : http;
+  const parsed = new URL(url);
+  const headers = {
+    'Authorization': `Bearer ${_options.apiKey}`,
+    'User-Agent': 'securenow-firewall-sdk',
+  };
+  if (_lastVersion) headers['If-None-Match'] = _lastVersion;
+  const req = mod.request({
+    hostname: parsed.hostname,
+    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+    path: parsed.pathname + parsed.search,
+    method: 'GET',
+    headers,
+    timeout: 5000,
+  }, (res) => {
+    _stats.versionChecks++;
+    if (res.statusCode === 304) {
+      _consecutiveErrors = 0;
+      res.resume();
+      callback(null, false);
+      return;
+    }
+    let data = '';
+    res.on('data', (chunk) => { data += chunk; });
+    res.on('end', () => {
+      if (res.statusCode !== 200) {
+        _consecutiveErrors++;
+        _stats.errors++;
+        callback(null, false);
+        return;
+      }
+      _consecutiveErrors = 0;
+      try {
+        const body = JSON.parse(data);
+        const version = body.version || null;
+        const changed = version !== _lastVersion;
+        if (changed) _lastVersion = version;
+        callback(null, changed);
+      } catch (_e) { callback(null, false); }
+    });
+  });
+  req.on('error', () => { _consecutiveErrors++; _stats.errors++; callback(null, false); });
+  req.on('timeout', () => { req.destroy(); _consecutiveErrors++; _stats.errors++; callback(null, false); });
+  req.end();
+}
+function doFullSync() {
   syncBlocklist((err, changed, stats) => {
     if (err) {
-      if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', err.message);
-      if (_options.failMode === 'closed') {
-        _matcher = createMatcher([]); // block everything by default via empty matcher
-        _matcher = { isBlocked: () => true, stats: () => ({ exact: 0, cidr: 0, total: 0 }) };
-      }
-    } else if (changed && stats) {
-      if (_options.log) console.log('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', stats.total, stats.exact, stats.cidr);
+      if (_options.log) console.warn('[securenow] Firewall: sync failed (using stale list):', err.message);
+    } else if (changed && stats && _options.log) {
+      console.log('[securenow] Firewall: re-synced %d blocked IPs', stats.total);
     }
-    _initialized = true;
   });
+}
-  _syncTimer = setInterval(() => {
+function jitter(baseMs) {
+  return baseMs * (0.8 + Math.random() * 0.4);
+}
+function scheduleNextVersionCheck() {
+  const baseMs = (_options.versionCheckInterval || 10) * 1000;
+  const backoffMs = Math.min(baseMs * Math.pow(2, _consecutiveErrors), 120_000);
+  const delayMs = jitter(backoffMs);
+  _versionTimer = setTimeout(() => {
+    checkVersion((_err, changed) => {
+      if (changed) {
+        if (_options.log) console.log('[securenow] Firewall: blocklist version changed, syncing…');
+        doFullSync();
+      }
+      scheduleNextVersionCheck();
+    });
+  }, delayMs);
+  if (_versionTimer.unref) _versionTimer.unref();
+}
+function startSyncLoop() {
+  const fullSyncIntervalMs = (_options.syncInterval || 300) * 1000;
+  const RETRY_DELAY = 5000;
+  function initialSync() {
     syncBlocklist((err, changed, stats) => {
       if (err) {
-        if (_options.log) console.warn('[securenow] Firewall: sync failed (using stale list):', err.message);
-      } else if (changed && stats && _options.log) {
-        console.log('[securenow] Firewall: re-synced %d blocked IPs', stats.total);
+        if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', err.message);
+        if (_options.failMode === 'closed') {
+          _matcher = { isBlocked: () => true, stats: () => ({ exact: 0, cidr: 0, total: 0 }) };
+        }
+        const retryTimer = setTimeout(initialSync, RETRY_DELAY);
+        if (retryTimer.unref) retryTimer.unref();
+        return;
+      }
+      if (changed && stats) {
+        if (_options.log) console.log('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', stats.total, stats.exact, stats.cidr);
       }
+      _initialized = true;
     });
-  }, intervalMs);
+  }
+  initialSync();
+  scheduleNextVersionCheck();
+  _syncTimer = setInterval(() => { doFullSync(); }, fullSyncIntervalMs);
   if (_syncTimer.unref) _syncTimer.unref();
 }
@@ -115,21 +206,87 @@ const _origHttpCreate = http.createServer;
 const _origHttpsCreate = https.createServer;
 let _httpPatched = false;
+function blockedHtml(ip) {
+  const maskedIp = ip || 'unknown';
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Access Blocked — Security Alert</title>
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{min-height:100vh;display:flex;align-items:center;justify-content:center;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;background:#0a0a0a;color:#e5e5e5}
+.wrap{text-align:center;max-width:540px;padding:2.5rem 2rem}
+.icon{width:64px;height:64px;margin:0 auto 1.5rem;border-radius:50%;background:rgba(220,38,38,.12);display:flex;align-items:center;justify-content:center}
+.icon svg{width:32px;height:32px;fill:none;stroke:#dc2626;stroke-width:2;stroke-linecap:round;stroke-linejoin:round}
+.badge{display:inline-block;padding:.25rem .75rem;border-radius:999px;background:rgba(220,38,38,.15);color:#f87171;font-size:.7rem;font-weight:700;letter-spacing:.08em;text-transform:uppercase;margin-bottom:1.25rem}
+h1{font-size:1.6rem;font-weight:700;margin-bottom:.6rem;color:#fff}
+.sub{font-size:1rem;color:#f87171;font-weight:600;margin-bottom:1.25rem}
+p{font-size:.9rem;line-height:1.7;color:#a1a1aa;margin-bottom:.5rem}
+.ip-box{display:inline-block;margin:1rem 0;padding:.6rem 1.5rem;border-radius:8px;background:rgba(255,255,255,.04);border:1px solid rgba(220,38,38,.25);font-family:"SF Mono",SFMono-Regular,Consolas,"Liberation Mono",Menlo,monospace;font-size:.95rem;color:#fca5a5;letter-spacing:.03em}
+.divider{width:48px;height:2px;background:rgba(220,38,38,.3);margin:1.5rem auto}
+.contact{font-size:.85rem;color:#71717a;line-height:1.7}
+.contact a{color:#f87171;text-decoration:none;font-weight:500}
+.contact a:hover{text-decoration:underline}
+.footer{margin-top:2rem;font-size:.7rem;color:#3f3f46}
+</style>
+</head>
+<body>
+<div class="wrap">
+<div class="icon"><svg viewBox="0 0 24 24"><path d="M12 9v4m0 4h.01M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z"/></svg></div>
+<span class="badge">Security Alert</span>
+<h1>Access Blocked</h1>
+<p class="sub">Malicious activity detected from your IP address</p>
+<p>Your IP has been flagged and blocked due to suspicious or malicious behavior originating from your network. Our security team has been notified and is actively investigating.</p>
+<div class="ip-box">${maskedIp}</div>
+<div class="divider"></div>
+<p class="contact">If you believe this is a mistake, please contact us at<br><a href="mailto:contact@securenow.ai?subject=Blocked%20IP%20Appeal%20-%20${encodeURIComponent(maskedIp)}&body=IP:%20${encodeURIComponent(maskedIp)}%0ATimestamp:%20${encodeURIComponent(new Date().toISOString())}%0A%0APlease%20describe%20why%20you%20believe%20this%20block%20is%20incorrect:">contact@securenow.ai</a><br>Include your IP address and the time of this incident.</p>
+<p class="footer">Ref: ${maskedIp} &mdash; ${new Date().toISOString()} &mdash; HTTP 403</p>
+</div>
+</body>
+</html>`;
+}
 function wrapListener(originalListener) {
   return function firewallGuard(req, res) {
-    if (_matcher) {
-      const ip = resolveClientIp(req);
-      if (_matcher.isBlocked(ip)) {
-        _stats.blocked++;
-        if (_options.log) console.log('[securenow] Firewall: blocked %s via HTTP', ip);
-        const code = _options.statusCode || 403;
+    _stats.allowed++;
+    return originalListener.call(this, req, res);
+  };
+}
+function firewallRequestHandler(req, res) {
+  if (_matcher) {
+    const ip = resolveClientIp(req);
+    if (_matcher.isBlocked(ip)) {
+      _stats.blocked++;
+      if (_options && _options.log) console.log('[securenow] Firewall: blocked %s via HTTP', ip);
+      const code = (_options && _options.statusCode) || 403;
+      const accept = req.headers['accept'] || '';
+      if (accept.includes('text/html')) {
+        res.writeHead(code, { 'Content-Type': 'text/html; charset=utf-8' });
+        res.end(blockedHtml(ip));
+      } else {
         res.writeHead(code, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'Forbidden' }));
-        return;
+        res.end(JSON.stringify({ error: 'Forbidden', ip }));
       }
+      return true;
     }
-    _stats.allowed++;
-    return originalListener.call(this, req, res);
+  }
+  return false;
+}
+const _origEmit = http.Server.prototype.emit;
+let _emitPatched = false;
+function patchEmitLayer() {
+  if (_emitPatched) return;
+  _emitPatched = true;
+  http.Server.prototype.emit = function(event, req, res, ...rest) {
+    if (event === 'request' && req && res && !res.headersSent) {
+      if (firewallRequestHandler(req, res)) return true;
+    }
+    return _origEmit.call(this, event, req, res, ...rest);
   };
 }
@@ -137,6 +294,9 @@ function patchHttpLayer() {
   if (_httpPatched) return;
   _httpPatched = true;
+  // Patch Server.prototype.emit to intercept requests on already-created servers
+  patchEmitLayer();
   http.createServer = function(...args) {
     if (typeof args[args.length - 1] === 'function') {
       args[args.length - 1] = wrapListener(args[args.length - 1]);
@@ -211,6 +371,7 @@ function init(options) {
 }
 function shutdown() {
+  if (_versionTimer) { clearTimeout(_versionTimer); _versionTimer = null; }
   if (_syncTimer) { clearInterval(_syncTimer); _syncTimer = null; }
   for (const layer of _layers) {
@@ -218,7 +379,10 @@ function shutdown() {
   }
   _layers = [];
-  // Restore original createServer
+  if (_emitPatched) {
+    http.Server.prototype.emit = _origEmit;
+    _emitPatched = false;
+  }
   if (_httpPatched) {
     http.createServer = _origHttpCreate;
     https.createServer = _origHttpsCreate;

package/nextjs.js CHANGED Viewed

@@ -37,7 +37,7 @@
  *    SECURENOW_INSTANCE=http://your-otlp-backend:4318
  */
-const { v4: uuidv4 } = require('uuid');
+const { randomUUID } = require('crypto');
 const env = k => process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
@@ -157,9 +157,9 @@ function registerSecureNow(options = {}) {
     // service.name
     let serviceName;
     if (baseName) {
-      serviceName = noUuid ? baseName : `${baseName}-${uuidv4()}`;
+      serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
     } else {
-      serviceName = `nextjs-app-${uuidv4()}`;
+      serviceName = `nextjs-app-${randomUUID()}`;
       console.warn('[securenow] ⚠️  No SECURENOW_APPID or OTEL_SERVICE_NAME provided. Using fallback: %s', serviceName);
       console.warn('[securenow] 💡 Set SECURENOW_APPID=your-app-name in .env.local for better tracking');
     }
@@ -548,7 +548,8 @@ function registerSecureNow(options = {}) {
         require('./firewall').init({
           apiKey: firewallApiKey,
           apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-          syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 60,
+          versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+          syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
           failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
           statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
           log: env('SECURENOW_FIREWALL_LOG') !== '0',
@@ -561,6 +562,7 @@ function registerSecureNow(options = {}) {
       }
     }
     console.log('[securenow] ✅ OpenTelemetry started for Next.js → %s', tracesUrl);
     console.log('[securenow] 📊 Auto-capturing comprehensive request metadata:');
     console.log('[securenow]    • IP addresses (x-forwarded-for, x-real-ip, socket)');

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.11.1",
+  "version": "5.12.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js CHANGED Viewed

@@ -556,7 +556,8 @@ const sdk = new NodeSDK({
       require('./firewall').init({
         apiKey: firewallApiKey,
         apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 60,
+        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
         failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
         statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
         log: env('SECURENOW_FIREWALL_LOG') !== '0',