securenow 5.9.0 → 5.10.0

package/console-instrumentation.js

@@ -36,6 +36,12 @@ if (!logger) {
   return;
 }
 
+if (console.__securenow_patched) {
+  console.warn('[securenow] Console already instrumented by tracing.js — skipping to avoid duplicate logs.');
+  module.exports = {};
+  return;
+}
+
 // Store original console methods
 const originalConsole = {
   log: console.log,

package/nextjs-auto-capture.js

@@ -139,7 +139,6 @@ function patchNextRequest() {
   
   const originalText = Request.prototype.text;
   const originalJson = Request.prototype.json;
-  const originalFormData = Request.prototype.formData;
   
   // Patch text() to cache result
   Request.prototype.text = async function() {
@@ -171,13 +170,6 @@ function patchNextRequest() {
     return JSON.parse(text);
   };
   
-  // Patch formData() to cache and capture  
-  Request.prototype.formData = async function() {
-    const text = await this.text();
-    const params = new URLSearchParams(text);
-    return params;
-  };
-  
   console.log('[securenow] ✅ Auto-capture: Patched Next.js Request for automatic body capture');
 }
 

package/nextjs.js

@@ -68,10 +68,9 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
-    // Check if field is sensitive
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
       redacted[key] = '[REDACTED]';
     } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
@@ -83,6 +82,10 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
 
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 /**
  * Redact sensitive data from GraphQL query strings
  */
@@ -94,10 +97,10 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   // Redact sensitive fields in GraphQL arguments and variables
   // Matches patterns like: password: "value" or password:"value" or password:'value'
   sensitiveFields.forEach(field => {
-    // Match field: "value" or field: 'value' or field:"value" (with optional spaces)
+    const escaped = escapeRegex(field);
     const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
     ];
     
     patterns.forEach(pattern => {
@@ -114,115 +117,6 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
 
-/**
- * Parse and capture request body safely
- */
-async function captureRequestBody(request, maxSize = 10240) {
-  try {
-    const contentType = request.headers['content-type'] || '';
-    let body = '';
-    
-    // Collect body chunks
-    const chunks = [];
-    let size = 0;
-    
-    return new Promise((resolve) => {
-      request.on('data', (chunk) => {
-        size += chunk.length;
-        if (size <= maxSize) {
-          chunks.push(chunk);
-        }
-      });
-      
-      request.on('end', () => {
-        if (size > maxSize) {
-          resolve({ 
-            captured: false, 
-            reason: `Body too large (${size} bytes > ${maxSize} bytes)`,
-            size 
-          });
-          return;
-        }
-        
-        body = Buffer.concat(chunks).toString('utf8');
-        
-        // Parse based on content type
-        if (contentType.includes('application/json')) {
-          try {
-            const parsed = JSON.parse(body);
-            resolve({ 
-              captured: true, 
-              type: 'json', 
-              body: parsed,
-              size 
-            });
-          } catch (e) {
-            resolve({ 
-              captured: true, 
-              type: 'json', 
-              body: body.substring(0, 1000),
-              parseError: true,
-              size 
-            });
-          }
-        } else if (contentType.includes('application/graphql')) {
-          // GraphQL queries need redaction too!
-          resolve({ 
-            captured: true, 
-            type: 'graphql', 
-            body: body,  // Will be redacted later
-            size 
-          });
-        } else if (contentType.includes('multipart/form-data')) {
-          // Multipart is NOT captured (files can be huge)
-          resolve({ 
-            captured: false, 
-            type: 'multipart', 
-            reason: 'Multipart data not captured (file uploads)',
-            size 
-          });
-        } else if (contentType.includes('application/x-www-form-urlencoded')) {
-          try {
-            const params = new URLSearchParams(body);
-            const parsed = Object.fromEntries(params);
-            resolve({ 
-              captured: true, 
-              type: 'form', 
-              body: parsed,
-              size 
-            });
-          } catch (e) {
-            resolve({ 
-              captured: true, 
-              type: 'form', 
-              body: body.substring(0, 1000),
-              size 
-            });
-          }
-        } else {
-          resolve({ 
-            captured: true, 
-            type: 'text', 
-            body: body.substring(0, 1000),
-            size 
-          });
-        }
-      });
-      
-      request.on('error', () => {
-        resolve({ captured: false, reason: 'Stream error' });
-      });
-      
-      // Timeout after 100ms
-      setTimeout(() => {
-        resolve({ captured: false, reason: 'Timeout' });
-      }, 100);
-    });
-  } catch (error) {
-    return { captured: false, reason: error.message };
-  }
-}
-
 /**
  * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
  * @param {Object} options - Optional configuration
@@ -281,10 +175,9 @@ function registerSecureNow(options = {}) {
     const tracesUrl = env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
     const logsUrl = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
 
-    // Set environment variables for @vercel/otel to pick up
-    process.env.OTEL_SERVICE_NAME = serviceName;
-    process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
-    process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
+    if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
+    if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
+    if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
 
     console.log('[securenow] 🚀 Next.js App → service.name=%s', serviceName);
 
@@ -292,7 +185,7 @@ function registerSecureNow(options = {}) {
     const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' || 
                        String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true' ||
                        options.captureBody === true;
-    const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB default
+    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
     const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
@@ -326,14 +219,19 @@ function registerSecureNow(options = {}) {
           const clientIp = headers['x-client-ip'];
           const socketIp = request.socket?.remoteAddress;
           
-          // Primary IP (first in chain is the real client)
-          const primaryIp = 
-            (forwardedFor ? forwardedFor.split(',')[0]?.trim() : null) ||
-            realIp ||
-            cfConnectingIp ||
-            clientIp ||
-            socketIp ||
-            'unknown';
+          const PRIVATE_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
+          const isProxied = socketIp && PRIVATE_RE.test(socketIp);
+          let primaryIp = socketIp || 'unknown';
+          if (isProxied) {
+            if (forwardedFor) {
+              const chain = forwardedFor.split(',').map(s => s.trim()).filter(Boolean);
+              for (let i = chain.length - 1; i >= 0; i--) {
+                if (!PRIVATE_RE.test(chain[i])) { primaryIp = chain[i]; break; }
+              }
+            } else {
+              primaryIp = realIp || cfConnectingIp || clientIp || primaryIp;
+            }
+          }
           
           // ======== PROTOCOL & CONNECTION ========
           const scheme = headers['x-forwarded-proto'] || 
@@ -588,10 +486,9 @@ function registerSecureNow(options = {}) {
                 const start = Date.now();
                 const method = req.method;
                 const url = req.url;
-                const reqCtx = otelContext.active();
-                const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
-
                 res.on('finish', () => {
+                  const reqCtx = otelContext.active();
+                  const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
                   const duration = Date.now() - start;
                   const status = res.statusCode;
                   const ip = req.headers['x-forwarded-for'] || req.headers['x-real-ip'] || req.socket?.remoteAddress || '-';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "5.9.0",
+  "version": "5.10.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/tracing.js

@@ -370,7 +370,7 @@ function resolveClientIp(request) {
     for (let i = chain.length - 1; i >= 0; i--) {
       if (!isFromTrustedProxy(chain[i])) return chain[i];
     }
-    return chain[0] || socketIp;
+    return socketIp;
   }
   const headerIp = request.headers['x-real-ip'];
   if (headerIp) return headerIp;
@@ -394,12 +394,12 @@ const httpInstrumentation = new HttpInstrumentation({
         span.setAttribute('http.client_ip', clientIp);
       }
 
-      if (captureBody && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
+      if ((captureBody || captureMultipart) && request.method && ['POST', 'PUT', 'PATCH'].includes(request.method)) {
         const contentType = request.headers['content-type'] || '';
         
-        if (contentType.includes('application/json') || 
+        if (captureBody && (contentType.includes('application/json') || 
             contentType.includes('application/graphql') ||
-            contentType.includes('application/x-www-form-urlencoded')) {
+            contentType.includes('application/x-www-form-urlencoded'))) {
           
           let body = '';
           const chunks = [];
@@ -545,6 +545,7 @@ if (loggingEnabled) {
   console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
   console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
   console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
+  console.__securenow_patched = true;
 }
 
 // -------- SDK --------

package/web-vite.mjs

@@ -72,20 +72,19 @@ function uuidv4(): string {
 }
 
 let serviceName: string;
+let disabled = false;
 if (baseName) {
   serviceName = noUuid ? baseName : `${baseName}-${uuidv4()}`;
 } else {
   if (strict) {
     console.error('[securenow/web-vite] FATAL: SECURENOW_APPID/OTEL_SERVICE_NAME missing and SECURENOW_STRICT=1. Tracing disabled.');
-    // Do not start tracing
     // @ts-expect-error
     window.__SECURENOW_DISABLED__ = true;
-    // eslint-disable-next-line @typescript-eslint/no-unused-vars
-    const _noop = true;
-    // early return by throwing a no-op error caught below:
-    throw new Error('__SECURENOW_NO_START__');
+    disabled = true;
+    serviceName = 'disabled';
+  } else {
+    serviceName = `securenow-free-${uuidv4()}`;
   }
-  serviceName = `securenow-free-${uuidv4()}`;
 }
 
 const instancePrefix = baseName || 'securenow';
@@ -109,7 +108,7 @@ try {
 let started = false;
 
 export function startSecurenowWeb() {
-  if (started) return;
+  if (started || disabled) return;
   started = true;
 
   const exporter = new OTLPTraceExporter({
@@ -145,9 +144,10 @@ export function startSecurenowWeb() {
 
   // Optional smoke span (same flag name)
   if (String(env('SECURENOW_TEST_SPAN')) === '1') {
-    const api = await import('@opentelemetry/api');
-    const tracer = api.trace.getTracer('securenow-smoke');
-    const span = tracer.startSpan('securenow.startup.smoke.web'); span.end();
+    import('@opentelemetry/api').then(api => {
+      const tracer = api.trace.getTracer('securenow-smoke');
+      const span = tracer.startSpan('securenow.startup.smoke.web'); span.end();
+    }).catch(() => {});
   }
 
   // eslint-disable-next-line no-console
@@ -233,9 +233,7 @@ try {
   startSecurenowWeb();
   injectFreeTrialBanner();
 } catch (e: any) {
-  if (String(e?.message) !== '__SECURENOW_NO_START__') {
-    console.error('[securenow/web-vite] failed to start:', e);
-  }
+  console.error('[securenow/web-vite] failed to start:', e);
 }
 
 export default startSecurenowWeb;