securenow 5.11.2 → 5.12.1

package/cli.js

@@ -1,4 +1,4 @@
-#!/usr/bin/env node
+#!/usr/bin/env node
 'use strict';
 
 const ui = require('./cli/ui');

package/firewall.js

@@ -8,11 +8,15 @@ const { resolveClientIp } = require('./resolve-ip');
 let _options = null;
 let _matcher = null;
 let _syncTimer = null;
+let _versionTimer = null;
 let _lastModified = null;
+let _lastVersion = null;
+let _lastSyncEtag = null;
 let _initialized = false;
+let _consecutiveErrors = 0;
 let _layers = [];
 let _rawIps = [];
-let _stats = { syncs: 0, blocked: 0, allowed: 0 };
+let _stats = { syncs: 0, blocked: 0, allowed: 0, versionChecks: 0, errors: 0 };
 
 // ────── Blocklist Sync ──────
 
@@ -37,7 +41,9 @@ function syncBlocklist(callback) {
     timeout: 10000,
   };
 
-  if (_lastModified) {
+  if (_lastSyncEtag) {
+    reqOptions.headers['If-None-Match'] = _lastSyncEtag;
+  } else if (_lastModified) {
     reqOptions.headers['If-Modified-Since'] = _lastModified;
   }
 
@@ -60,6 +66,7 @@ function syncBlocklist(callback) {
         _rawIps = ips;
         _matcher = createMatcher(ips);
         _lastModified = res.headers['last-modified'] || null;
+        if (res.headers['etag']) _lastSyncEtag = res.headers['etag'];
         _stats.syncs++;
         notifyLayers(ips);
         callback(null, true, _matcher.stats());
@@ -80,32 +87,117 @@ function notifyLayers(ips) {
   }
 }
 
-function startSyncLoop() {
-  const intervalMs = (_options.syncInterval || 60) * 1000;
+function checkVersion(callback) {
+  const url = buildUrl(_options.apiUrl, '/firewall/blocklist/version');
+  const mod = url.startsWith('https') ? https : http;
+  const parsed = new URL(url);
+
+  const headers = {
+    'Authorization': `Bearer ${_options.apiKey}`,
+    'User-Agent': 'securenow-firewall-sdk',
+  };
+  if (_lastVersion) headers['If-None-Match'] = _lastVersion;
+
+  const req = mod.request({
+    hostname: parsed.hostname,
+    port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+    path: parsed.pathname + parsed.search,
+    method: 'GET',
+    headers,
+    timeout: 5000,
+  }, (res) => {
+    _stats.versionChecks++;
+
+    if (res.statusCode === 304) {
+      _consecutiveErrors = 0;
+      res.resume();
+      callback(null, false);
+      return;
+    }
+
+    let data = '';
+    res.on('data', (chunk) => { data += chunk; });
+    res.on('end', () => {
+      if (res.statusCode !== 200) {
+        _consecutiveErrors++;
+        _stats.errors++;
+        callback(null, false);
+        return;
+      }
+      _consecutiveErrors = 0;
+      try {
+        const body = JSON.parse(data);
+        const version = body.version || null;
+        const changed = version !== _lastVersion;
+        if (changed) _lastVersion = version;
+        callback(null, changed);
+      } catch (_e) { callback(null, false); }
+    });
+  });
+
+  req.on('error', () => { _consecutiveErrors++; _stats.errors++; callback(null, false); });
+  req.on('timeout', () => { req.destroy(); _consecutiveErrors++; _stats.errors++; callback(null, false); });
+  req.end();
+}
 
+function doFullSync() {
   syncBlocklist((err, changed, stats) => {
     if (err) {
-      if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', err.message);
-      if (_options.failMode === 'closed') {
-        _matcher = createMatcher([]); // block everything by default via empty matcher
-        _matcher = { isBlocked: () => true, stats: () => ({ exact: 0, cidr: 0, total: 0 }) };
-      }
-    } else if (changed && stats) {
-      if (_options.log) console.log('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', stats.total, stats.exact, stats.cidr);
+      if (_options.log) console.warn('[securenow] Firewall: sync failed (using stale list):', err.message);
+    } else if (changed && stats && _options.log) {
+      console.log('[securenow] Firewall: re-synced %d blocked IPs', stats.total);
     }
-    _initialized = true;
   });
+}
 
-  _syncTimer = setInterval(() => {
+function jitter(baseMs) {
+  return baseMs * (0.8 + Math.random() * 0.4);
+}
+
+function scheduleNextVersionCheck() {
+  const baseMs = (_options.versionCheckInterval || 10) * 1000;
+  const backoffMs = Math.min(baseMs * Math.pow(2, _consecutiveErrors), 120_000);
+  const delayMs = jitter(backoffMs);
+
+  _versionTimer = setTimeout(() => {
+    checkVersion((_err, changed) => {
+      if (changed) {
+        if (_options.log) console.log('[securenow] Firewall: blocklist version changed, syncing…');
+        doFullSync();
+      }
+      scheduleNextVersionCheck();
+    });
+  }, delayMs);
+  if (_versionTimer.unref) _versionTimer.unref();
+}
+
+function startSyncLoop() {
+  const fullSyncIntervalMs = (_options.syncInterval || 300) * 1000;
+  const RETRY_DELAY = 5000;
+
+  function initialSync() {
     syncBlocklist((err, changed, stats) => {
       if (err) {
-        if (_options.log) console.warn('[securenow] Firewall: sync failed (using stale list):', err.message);
-      } else if (changed && stats && _options.log) {
-        console.log('[securenow] Firewall: re-synced %d blocked IPs', stats.total);
+        if (_options.log) console.warn('[securenow] Firewall: initial sync failed:', err.message);
+        if (_options.failMode === 'closed') {
+          _matcher = { isBlocked: () => true, stats: () => ({ exact: 0, cidr: 0, total: 0 }) };
+        }
+        const retryTimer = setTimeout(initialSync, RETRY_DELAY);
+        if (retryTimer.unref) retryTimer.unref();
+        return;
+      }
+      if (changed && stats) {
+        if (_options.log) console.log('[securenow] Firewall: synced %d blocked IPs (%d exact + %d CIDR ranges)', stats.total, stats.exact, stats.cidr);
       }
+      _initialized = true;
     });
-  }, intervalMs);
+  }
+
+  initialSync();
 
+  scheduleNextVersionCheck();
+
+  _syncTimer = setInterval(() => { doFullSync(); }, fullSyncIntervalMs);
   if (_syncTimer.unref) _syncTimer.unref();
 }
 
@@ -115,21 +207,87 @@ const _origHttpCreate = http.createServer;
 const _origHttpsCreate = https.createServer;
 let _httpPatched = false;
 
+function blockedHtml(ip) {
+  const maskedIp = ip || 'unknown';
+  return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Access Blocked — Security Alert</title>
+<style>
+*{margin:0;padding:0;box-sizing:border-box}
+body{min-height:100vh;display:flex;align-items:center;justify-content:center;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,sans-serif;background:#0a0a0a;color:#e5e5e5}
+.wrap{text-align:center;max-width:540px;padding:2.5rem 2rem}
+.icon{width:64px;height:64px;margin:0 auto 1.5rem;border-radius:50%;background:rgba(220,38,38,.12);display:flex;align-items:center;justify-content:center}
+.icon svg{width:32px;height:32px;fill:none;stroke:#dc2626;stroke-width:2;stroke-linecap:round;stroke-linejoin:round}
+.badge{display:inline-block;padding:.25rem .75rem;border-radius:999px;background:rgba(220,38,38,.15);color:#f87171;font-size:.7rem;font-weight:700;letter-spacing:.08em;text-transform:uppercase;margin-bottom:1.25rem}
+h1{font-size:1.6rem;font-weight:700;margin-bottom:.6rem;color:#fff}
+.sub{font-size:1rem;color:#f87171;font-weight:600;margin-bottom:1.25rem}
+p{font-size:.9rem;line-height:1.7;color:#a1a1aa;margin-bottom:.5rem}
+.ip-box{display:inline-block;margin:1rem 0;padding:.6rem 1.5rem;border-radius:8px;background:rgba(255,255,255,.04);border:1px solid rgba(220,38,38,.25);font-family:"SF Mono",SFMono-Regular,Consolas,"Liberation Mono",Menlo,monospace;font-size:.95rem;color:#fca5a5;letter-spacing:.03em}
+.divider{width:48px;height:2px;background:rgba(220,38,38,.3);margin:1.5rem auto}
+.contact{font-size:.85rem;color:#71717a;line-height:1.7}
+.contact a{color:#f87171;text-decoration:none;font-weight:500}
+.contact a:hover{text-decoration:underline}
+.footer{margin-top:2rem;font-size:.7rem;color:#3f3f46}
+</style>
+</head>
+<body>
+<div class="wrap">
+<div class="icon"><svg viewBox="0 0 24 24"><path d="M12 9v4m0 4h.01M10.29 3.86L1.82 18a2 2 0 001.71 3h16.94a2 2 0 001.71-3L13.71 3.86a2 2 0 00-3.42 0z"/></svg></div>
+<span class="badge">Security Alert</span>
+<h1>Access Blocked</h1>
+<p class="sub">Malicious activity detected from your IP address</p>
+<p>Your IP has been flagged and blocked due to suspicious or malicious behavior originating from your network. Our security team has been notified and is actively investigating.</p>
+<div class="ip-box">${maskedIp}</div>
+<div class="divider"></div>
+<p class="contact">If you believe this is a mistake, please contact us at<br><a href="mailto:contact@securenow.ai?subject=Blocked%20IP%20Appeal%20-%20${encodeURIComponent(maskedIp)}&body=IP:%20${encodeURIComponent(maskedIp)}%0ATimestamp:%20${encodeURIComponent(new Date().toISOString())}%0A%0APlease%20describe%20why%20you%20believe%20this%20block%20is%20incorrect:">contact@securenow.ai</a><br>Include your IP address and the time of this incident.</p>
+<p class="footer">Ref: ${maskedIp} &mdash; ${new Date().toISOString()} &mdash; HTTP 403</p>
+</div>
+</body>
+</html>`;
+}
+
 function wrapListener(originalListener) {
   return function firewallGuard(req, res) {
-    if (_matcher) {
-      const ip = resolveClientIp(req);
-      if (_matcher.isBlocked(ip)) {
-        _stats.blocked++;
-        if (_options.log) console.log('[securenow] Firewall: blocked %s via HTTP', ip);
-        const code = _options.statusCode || 403;
+    _stats.allowed++;
+    return originalListener.call(this, req, res);
+  };
+}
+
+function firewallRequestHandler(req, res) {
+  if (_matcher) {
+    const ip = resolveClientIp(req);
+    if (_matcher.isBlocked(ip)) {
+      _stats.blocked++;
+      if (_options && _options.log) console.log('[securenow] Firewall: blocked %s via HTTP', ip);
+      const code = (_options && _options.statusCode) || 403;
+      const accept = req.headers['accept'] || '';
+      if (accept.includes('text/html')) {
+        res.writeHead(code, { 'Content-Type': 'text/html; charset=utf-8' });
+        res.end(blockedHtml(ip));
+      } else {
         res.writeHead(code, { 'Content-Type': 'application/json' });
-        res.end(JSON.stringify({ error: 'Forbidden' }));
-        return;
+        res.end(JSON.stringify({ error: 'Forbidden', ip }));
       }
+      return true;
     }
-    _stats.allowed++;
-    return originalListener.call(this, req, res);
+  }
+  return false;
+}
+
+const _origEmit = http.Server.prototype.emit;
+let _emitPatched = false;
+
+function patchEmitLayer() {
+  if (_emitPatched) return;
+  _emitPatched = true;
+
+  http.Server.prototype.emit = function(event, req, res, ...rest) {
+    if (event === 'request' && req && res && !res.headersSent) {
+      if (firewallRequestHandler(req, res)) return true;
+    }
+    return _origEmit.call(this, event, req, res, ...rest);
   };
 }
 
@@ -137,6 +295,9 @@ function patchHttpLayer() {
   if (_httpPatched) return;
   _httpPatched = true;
 
+  // Patch Server.prototype.emit to intercept requests on already-created servers
+  patchEmitLayer();
+
   http.createServer = function(...args) {
     if (typeof args[args.length - 1] === 'function') {
       args[args.length - 1] = wrapListener(args[args.length - 1]);
@@ -211,6 +372,7 @@ function init(options) {
 }
 
 function shutdown() {
+  if (_versionTimer) { clearTimeout(_versionTimer); _versionTimer = null; }
   if (_syncTimer) { clearInterval(_syncTimer); _syncTimer = null; }
 
   for (const layer of _layers) {
@@ -218,7 +380,10 @@ function shutdown() {
   }
   _layers = [];
 
-  // Restore original createServer
+  if (_emitPatched) {
+    http.Server.prototype.emit = _origEmit;
+    _emitPatched = false;
+  }
   if (_httpPatched) {
     http.createServer = _origHttpCreate;
     https.createServer = _origHttpsCreate;

package/nextjs.js

@@ -548,7 +548,8 @@ function registerSecureNow(options = {}) {
         require('./firewall').init({
           apiKey: firewallApiKey,
           apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-          syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 60,
+          versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+          syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
           failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
           statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
           log: env('SECURENOW_FIREWALL_LOG') !== '0',
@@ -561,6 +562,7 @@ function registerSecureNow(options = {}) {
       }
     }
 
+    
     console.log('[securenow] ✅ OpenTelemetry started for Next.js → %s', tracesUrl);
     console.log('[securenow] 📊 Auto-capturing comprehensive request metadata:');
     console.log('[securenow]    • IP addresses (x-forwarded-for, x-real-ip, socket)');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.11.2",
+  "version": "5.12.1",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js

@@ -556,7 +556,8 @@ const sdk = new NodeSDK({
       require('./firewall').init({
         apiKey: firewallApiKey,
         apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
-        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 60,
+        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
         failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
         statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
         log: env('SECURENOW_FIREWALL_LOG') !== '0',