npm - securenow - Versions diffs - 5.5.0 → 5.6.1 - Mend

securenow 5.5.0 → 5.6.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/CONSUMING-APPS-GUIDE.md +411 -415
package/NPM_README.md +1544 -1609
package/README.md +9 -21
package/cli/monitor.js +13 -1
package/cli.js +1 -1
package/console-instrumentation.js +6 -1
package/docs/ALL-FRAMEWORKS-QUICKSTART.md +1282 -455
package/docs/EXPRESS-SETUP-GUIDE.md +719 -720
package/docs/LOGGING-GUIDE.md +701 -708
package/docs/LOGGING-QUICKSTART.md +234 -239
package/nextjs.js +19 -3
package/package.json +1 -1
package/tracing.d.ts +1 -0
package/tracing.js +87 -1

package/docs/LOGGING-QUICKSTART.md CHANGED Viewed

@@ -1,239 +1,234 @@
-# SecureNow Logging - Quick Start
-Get logging set up in your Node.js app in under 2 minutes!
----
-## 1. Install
-```bash
-npm install securenow
-```
----
-## 2. Configure Environment
-Create `.env` file or export variables:
-```bash
-SECURENOW_LOGGING_ENABLED=1
-SECURENOW_APPID=my-app
-SECURENOW_INSTANCE=http://your-otlp-backend:4318
-# For SecureNow / hosted OTLP (example):
-# SECURENOW_INSTANCE=https://freetrial.securenow.ai:4318
-# OTEL_EXPORTER_OTLP_HEADERS="x-api-key=<your-key>"
-```
----
-## 3. Add to Your App
-**Option A: Automatic Console Logging (Easiest)**
-Add these two lines at the top of your main file:
-```javascript
-// app.js, index.js, server.js, or main.ts
-require('securenow/register');
-require('securenow/console-instrumentation');
-// That's it! Now use console normally
-console.log('App started');
-console.error('An error occurred', { userId: 123 });
-```
-**Option B: Use NODE_OPTIONS (No code changes)**
-```bash
-NODE_OPTIONS="-r securenow/register -r securenow/console-instrumentation" node app.js
-```
----
-## 4. Run Your App
-```bash
-node app.js
-# or
-npm start
-```
-You should see:
-```
-[securenow] OTel SDK started → http://your-otlp-backend:4318/v1/traces
-[securenow] 📋 Logging: ENABLED → http://your-otlp-backend:4318/v1/logs
-[securenow] Console instrumentation installed
-```
----
-## 5. View Logs in SecureNow
-1. Open your SecureNow dashboard
-2. Go to **Logs** section
-3. Filter by `service.name = my-app`
-4. See all your logs with automatic trace correlation!
----
-## Framework-Specific Examples
-### Express.js
-```javascript
-// app.js
-require('securenow/register');
-require('securenow/console-instrumentation');
-const express = require('express');
-const app = express();
-app.get('/', (req, res) => {
-  console.log('Request received');
-  res.send('Hello World');
-});
-app.listen(3000);
-```
-### Next.js
-```typescript
-// instrumentation.ts (in project root)
-export async function register() {
-  if (process.env.NEXT_RUNTIME === 'nodejs') {
-    process.env.SECURENOW_LOGGING_ENABLED = '1';
-    await import('securenow/register');
-    await import('securenow/console-instrumentation');
-  }
-}
-```
-```bash
-# .env.local
-SECURENOW_LOGGING_ENABLED=1
-SECURENOW_APPID=my-nextjs-app
-SECURENOW_INSTANCE=http://localhost:4318
-```
-### Fastify
-```javascript
-// server.js
-require('securenow/register');
-require('securenow/console-instrumentation');
-const fastify = require('fastify')();
-fastify.get('/', async () => {
-  console.log('Route called');
-  return { hello: 'world' };
-});
-fastify.listen({ port: 3000 });
-```
-### NestJS
-```typescript
-// main.ts
-require('securenow/register');
-require('securenow/console-instrumentation');
-import { NestFactory } from '@nestjs/core';
-import { AppModule } from './app.module';
-async function bootstrap() {
-  const app = await NestFactory.create(AppModule);
-  console.log('App starting');
-  await app.listen(3000);
-}
-bootstrap();
-```
----
-## Troubleshooting
-**Logs not appearing?**
-1. Check `SECURENOW_LOGGING_ENABLED=1` is set
-2. Verify your OTLP / SecureNow endpoint is correct
-3. Enable debug: `OTEL_LOG_LEVEL=debug`
-**Console instrumentation not working?**
-Make sure require order is correct:
-```javascript
-// ✅ Correct
-require('securenow/register');           // First
-require('securenow/console-instrumentation');  // Second
-// ❌ Wrong
-require('express');
-require('securenow/register');  // Too late!
-```
----
-## What Gets Logged?
-All standard console methods:
-- `console.log()` → INFO
-- `console.info()` → INFO
-- `console.warn()` → WARN
-- `console.error()` → ERROR
-- `console.debug()` → DEBUG
-**Structured logging example:**
-```javascript
-console.log('User logged in', {
-  userId: 123,
-  email: 'user@example.com',
-  ip: '192.168.1.1'
-});
-```
-This creates a log with attributes you can filter/search in SecureNow!
----
-## Advanced Usage
-**Direct Logger API:**
-```javascript
-const { getLogger } = require('securenow/tracing');
-const logger = getLogger('my-module', '1.0.0');
-logger.emit({
-  severityNumber: 9,
-  severityText: 'INFO',
-  body: 'Custom log message',
-  attributes: {
-    customField: 'value',
-  },
-});
-```
----
-## Next Steps
-- [Complete Logging Guide](./LOGGING-GUIDE.md) - All features and options
-- [SecureNow](https://securenow.ai/)
-- [Documentation](./INDEX.md)
-- [Combine with Tracing](../README.md) - Full observability
----
-**That's it!** 🎉 Your app is now sending logs to SecureNow.
-Need help? Check the [full documentation](./LOGGING-GUIDE.md) or open an issue.
+# SecureNow Logging - Quick Start
+Get logging set up in your Node.js app in under 2 minutes!
+**Since v5.6.0:** When `SECURENOW_LOGGING_ENABLED=1` is set, all `console.log` / `warn` / `error` / `info` / `debug` calls are automatically forwarded as OTLP log records. You only need `require('securenow/register')`—a separate `console-instrumentation` preload is no longer required.
+---
+## 1. Install
+```bash
+npm install securenow
+```
+---
+## 2. Configure Environment
+Create `.env` file or export variables:
+```bash
+SECURENOW_LOGGING_ENABLED=1
+SECURENOW_APPID=my-app
+SECURENOW_INSTANCE=http://your-otlp-backend:4318
+# For SecureNow / hosted OTLP (example):
+# SECURENOW_INSTANCE=https://freetrial.securenow.ai:4318
+# OTEL_EXPORTER_OTLP_HEADERS="x-api-key=<your-key>"
+```
+---
+## 3. Add to Your App
+**Option A: Automatic Console Logging (Easiest)**
+Add this line at the top of your main file:
+```javascript
+// app.js, index.js, server.js, or main.ts
+require('securenow/register');
+// That's it! Now use console normally
+console.log('App started');
+console.error('An error occurred', { userId: 123 });
+```
+**Option B: Use NODE_OPTIONS (No code changes)**
+```bash
+NODE_OPTIONS="-r securenow/register" node app.js
+```
+---
+## 4. Run Your App
+```bash
+node app.js
+# or
+npm start
+```
+You should see:
+```
+[securenow] OTel SDK started → http://your-otlp-backend:4318/v1/traces
+[securenow] 📋 Logging: ENABLED → http://your-otlp-backend:4318/v1/logs
+```
+---
+## 5. View Logs in SecureNow
+1. Open your SecureNow dashboard
+2. Go to **Logs** section
+3. Filter by `service.name = my-app`
+4. See all your logs with automatic trace correlation!
+---
+## Framework-Specific Examples
+### Express.js
+```javascript
+// app.js
+require('securenow/register');
+const express = require('express');
+const app = express();
+app.get('/', (req, res) => {
+  console.log('Request received');
+  res.send('Hello World');
+});
+app.listen(3000);
+```
+### Next.js
+```typescript
+// instrumentation.ts (in project root)
+export async function register() {
+  if (process.env.NEXT_RUNTIME === 'nodejs') {
+    process.env.SECURENOW_LOGGING_ENABLED = '1';
+    await import('securenow/register');
+  }
+}
+```
+```bash
+# .env.local
+SECURENOW_LOGGING_ENABLED=1
+SECURENOW_APPID=my-nextjs-app
+SECURENOW_INSTANCE=http://localhost:4318
+```
+### Fastify
+```javascript
+// server.js
+require('securenow/register');
+const fastify = require('fastify')();
+fastify.get('/', async () => {
+  console.log('Route called');
+  return { hello: 'world' };
+});
+fastify.listen({ port: 3000 });
+```
+### NestJS
+```typescript
+// main.ts
+require('securenow/register');
+import { NestFactory } from '@nestjs/core';
+import { AppModule } from './app.module';
+async function bootstrap() {
+  const app = await NestFactory.create(AppModule);
+  console.log('App starting');
+  await app.listen(3000);
+}
+bootstrap();
+```
+---
+## Troubleshooting
+**Logs not appearing?**
+1. Check `SECURENOW_LOGGING_ENABLED=1` is set
+2. Verify your OTLP / SecureNow endpoint is correct
+3. Enable debug: `OTEL_LOG_LEVEL=debug`
+**Console logs not forwarding?**
+Load `securenow/register` before other app code so logging hooks run first:
+```javascript
+// ✅ Correct
+require('securenow/register');  // First
+// ❌ Wrong
+require('express');
+require('securenow/register');  // Too late!
+```
+---
+## What Gets Logged?
+All standard console methods:
+- `console.log()` → INFO
+- `console.info()` → INFO
+- `console.warn()` → WARN
+- `console.error()` → ERROR
+- `console.debug()` → DEBUG
+**Structured logging example:**
+```javascript
+console.log('User logged in', {
+  userId: 123,
+  email: 'user@example.com',
+  ip: '192.168.1.1'
+});
+```
+This creates a log with attributes you can filter/search in SecureNow!
+---
+## Advanced Usage
+**Direct Logger API:**
+```javascript
+const { getLogger } = require('securenow/tracing');
+const logger = getLogger('my-module', '1.0.0');
+logger.emit({
+  severityNumber: 9,
+  severityText: 'INFO',
+  body: 'Custom log message',
+  attributes: {
+    customField: 'value',
+  },
+});
+```
+---
+## Next Steps
+- [Complete Logging Guide](./LOGGING-GUIDE.md) - All features and options
+- [SecureNow](https://securenow.ai/)
+- [Documentation](./INDEX.md)
+- [Combine with Tracing](../README.md) - Full observability
+---
+**That's it!** 🎉 Your app is now sending logs to SecureNow.
+Need help? Check the [full documentation](./LOGGING-GUIDE.md) or open an issue.

package/nextjs.js CHANGED Viewed

@@ -551,17 +551,30 @@ function registerSecureNow(options = {}) {
           const origWarn = console.warn;
           const origError = console.error;
+          const { context: otelContext, trace: otelTrace } = require('@opentelemetry/api');
+          function _emitLog(sn, st, args) {
+            try {
+              const activeCtx = otelContext.active();
+              const spanCtx = otelTrace.getSpanContext(activeCtx);
+              logger.emit({
+                severityNumber: sn,
+                severityText: st,
+                body: args.map(String).join(' '),
+                ...(spanCtx && { context: activeCtx }),
+              });
+            } catch (_) {}
+          }
           console.log = (...args) => {
             origLog.apply(console, args);
-            try { logger.emit({ severityNumber: SeverityNumber.INFO, severityText: 'INFO', body: args.map(String).join(' ') }); } catch (_) {}
+            _emitLog(SeverityNumber.INFO, 'INFO', args);
           };
           console.warn = (...args) => {
             origWarn.apply(console, args);
-            try { logger.emit({ severityNumber: SeverityNumber.WARN, severityText: 'WARN', body: args.map(String).join(' ') }); } catch (_) {}
+            _emitLog(SeverityNumber.WARN, 'WARN', args);
           };
           console.error = (...args) => {
             origError.apply(console, args);
-            try { logger.emit({ severityNumber: SeverityNumber.ERROR, severityText: 'ERROR', body: args.map(String).join(' ') }); } catch (_) {}
+            _emitLog(SeverityNumber.ERROR, 'ERROR', args);
           };
           console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
@@ -575,6 +588,8 @@ function registerSecureNow(options = {}) {
                 const start = Date.now();
                 const method = req.method;
                 const url = req.url;
+                const reqCtx = otelContext.active();
+                const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
                 res.on('finish', () => {
                   const duration = Date.now() - start;
@@ -598,6 +613,7 @@ function registerSecureNow(options = {}) {
                         'http.client_ip': String(ip).split(',')[0].trim(),
                         'http.user_agent': ua,
                       },
+                      ...(reqSpanCtx && { context: reqCtx }),
                     });
                   } catch (_) {}
                 });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.5.0",
+  "version": "5.6.1",
   "description": "OpenTelemetry instrumentation for Node.js and Next.js - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.d.ts CHANGED Viewed

@@ -178,5 +178,6 @@ export const loggerProvider: LoggerProvider | null;
  * - SECURENOW_DISABLE_INSTRUMENTATIONS=pkg1,pkg2
  * - OTEL_LOG_LEVEL=info|debug
  * - SECURENOW_TEST_SPAN=1
+ * - SECURENOW_TRUSTED_PROXIES=ip1,ip2       # Additional trusted proxy IPs for X-Forwarded-For
  * - OTEL_EXPORTER_OTLP_LOGS_ENDPOINT=...    # Override logs endpoint
  */

package/tracing.js CHANGED Viewed

@@ -21,7 +21,7 @@
  *   SECURENOW_STRICT=1  -> if no appid/name is provided in cluster, exit(1) so PM2 restarts the worker
  */
-const { diag, DiagConsoleLogger, DiagLogLevel } = require('@opentelemetry/api');
+const { diag, DiagConsoleLogger, DiagLogLevel, context, trace } = require('@opentelemetry/api');
 const { NodeSDK } = require('@opentelemetry/sdk-node');
 const { OTLPTraceExporter } = require('@opentelemetry/exporter-trace-otlp-http');
 const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
@@ -188,11 +188,74 @@ const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB
 const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
 const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+// -------- Trusted proxy IP resolution --------
+// Only trust X-Forwarded-For / X-Real-IP when the direct connection comes from
+// a known proxy (loopback, private RFC-1918/RFC-4193, or an explicit allowlist).
+// This prevents end-users from spoofing their IP via custom headers.
+const os = require('os');
+const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
+const PRIVATE_IP_RE = /^(127\.|::1|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|fc|fd)/;
+const trustedProxyCsv = (env('SECURENOW_TRUSTED_PROXIES') || '').trim();
+const trustedProxySet = trustedProxyCsv ? new Set(trustedProxyCsv.split(',').map(s => s.trim()).filter(Boolean)) : null;
+// Resolve the host's actual network IP once at startup (used when socket is loopback)
+let _hostIp = null;
+function getHostIp() {
+  if (_hostIp !== null) return _hostIp;
+  try {
+    const ifaces = os.networkInterfaces();
+    for (const name of Object.keys(ifaces)) {
+      for (const iface of ifaces[name]) {
+        if (!iface.internal && iface.family === 'IPv4') { _hostIp = iface.address; return _hostIp; }
+      }
+    }
+  } catch (_) {}
+  _hostIp = '';
+  return _hostIp;
+}
+function isFromTrustedProxy(socketIp) {
+  if (!socketIp) return false;
+  const normalized = socketIp.replace(/^::ffff:/, '');
+  if (trustedProxySet && trustedProxySet.has(normalized)) return true;
+  return PRIVATE_IP_RE.test(socketIp);
+}
+function resolveClientIp(request) {
+  const socketIp = request.socket?.remoteAddress || '';
+  if (!isFromTrustedProxy(socketIp)) return socketIp;
+  // Connection is from a trusted proxy — read the leftmost untrusted IP
+  const fwd = request.headers['x-forwarded-for'];
+  if (fwd) {
+    const chain = String(fwd).split(',').map(s => s.trim()).filter(Boolean);
+    for (let i = chain.length - 1; i >= 0; i--) {
+      if (!isFromTrustedProxy(chain[i])) return chain[i];
+    }
+    return chain[0] || socketIp;
+  }
+  const headerIp = request.headers['x-real-ip'];
+  if (headerIp) return headerIp;
+  // Loopback means the client is on this machine — use the host's network IP
+  // so traces are attributed to the actual machine, not a useless ::1 / 127.0.0.1
+  if (LOOPBACK_RE.test(socketIp)) {
+    const hostIp = getHostIp();
+    if (hostIp) return hostIp;
+  }
+  return socketIp;
+}
 // Configure HTTP instrumentation with body capture
 const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
 const httpInstrumentation = new HttpInstrumentation({
   requestHook: (span, request) => {
     try {
+      const clientIp = resolveClientIp(request);
+      if (clientIp) {
+        span.setAttribute('http.client_ip', clientIp);
+      }
       if (captureBody && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
         const contentType = request.headers['content-type'] || '';
@@ -293,6 +356,29 @@ if (loggingEnabled) {
     resource: sharedResource,
   });
   loggerProvider.addLogRecordProcessor(batchLogProcessor);
+  // Auto-patch console.* so every log/warn/error becomes an OTel log record
+  const _logger = loggerProvider.getLogger('console', '1.0.0');
+  const _orig = { log: console.log, info: console.info, warn: console.warn, error: console.error, debug: console.debug };
+  const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
+  function _emit(sn, st, args) {
+    try {
+      const activeCtx = context.active();
+      const spanCtx = trace.getSpanContext(activeCtx);
+      _logger.emit({
+        severityNumber: sn,
+        severityText: st,
+        body: args.map(a => (typeof a === 'object' && a !== null) ? JSON.stringify(a) : String(a)).join(' '),
+        attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
+        ...(spanCtx && { context: activeCtx }),
+      });
+    } catch (_) {}
+  }
+  console.log   = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.log.apply(console, a); };
+  console.info  = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.info.apply(console, a); };
+  console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
+  console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
+  console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
 }
 // -------- SDK --------