securenow 6.0.1 → 6.1.0

package/nextjs.js

@@ -5,21 +5,39 @@
  * 
  * Usage in Next.js app:
  * 
- * 1. Create instrumentation.ts (or .js) in your project root:
+ * 1. Add serverExternalPackages to next.config.js (REQUIRED to avoid webpack bundling issues):
+ * 
+ *    const nextConfig = {
+ *      serverExternalPackages: [
+ *        "securenow",
+ *        "@opentelemetry/sdk-node",
+ *        "@opentelemetry/auto-instrumentations-node",
+ *        "@opentelemetry/instrumentation-http",
+ *        "@opentelemetry/exporter-trace-otlp-http",
+ *        "@opentelemetry/exporter-logs-otlp-http",
+ *        "@opentelemetry/sdk-logs",
+ *        "@opentelemetry/instrumentation",
+ *        "@opentelemetry/resources",
+ *        "@opentelemetry/semantic-conventions",
+ *        "@opentelemetry/api",
+ *        "@opentelemetry/api-logs",
+ *        "@vercel/otel",
+ *      ],
+ *    };
+ * 
+ * 2. Create instrumentation.ts (or .js) in your project root:
  * 
  *    import { registerSecureNow } from 'securenow/nextjs';
  *    export function register() {
  *      registerSecureNow();
  *    }
  * 
- * 2. Set environment variables:
+ * 3. Set environment variables:
  *    SECURENOW_APPID=my-nextjs-app
- *    SECURENOW_INSTANCE=http://your-signoz-host:4318
- * 
- * That's it! 🎉 No webpack warnings!
+ *    SECURENOW_INSTANCE=http://your-otlp-backend:4318
  */
 
-const { v4: uuidv4 } = require('uuid');
+const { randomUUID } = require('crypto');
 
 const env = k => process.env[k] ?? process.env[k.toUpperCase()] ?? process.env[k.toLowerCase()];
 
@@ -50,10 +68,9 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   
   const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
   
-  for (const key in redacted) {
+  for (const key of Object.keys(redacted)) {
     const lowerKey = key.toLowerCase();
     
-    // Check if field is sensitive
     if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
       redacted[key] = '[REDACTED]';
     } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
@@ -65,6 +82,10 @@ function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
 
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
 /**
  * Redact sensitive data from GraphQL query strings
  */
@@ -76,10 +97,10 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   // Redact sensitive fields in GraphQL arguments and variables
   // Matches patterns like: password: "value" or password:"value" or password:'value'
   sensitiveFields.forEach(field => {
-    // Match field: "value" or field: 'value' or field:"value" (with optional spaces)
+    const escaped = escapeRegex(field);
     const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
     ];
     
     patterns.forEach(pattern => {
@@ -96,115 +117,6 @@ function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
   return redacted;
 }
 
-/**
- * Parse and capture request body safely
- */
-async function captureRequestBody(request, maxSize = 10240) {
-  try {
-    const contentType = request.headers['content-type'] || '';
-    let body = '';
-    
-    // Collect body chunks
-    const chunks = [];
-    let size = 0;
-    
-    return new Promise((resolve) => {
-      request.on('data', (chunk) => {
-        size += chunk.length;
-        if (size <= maxSize) {
-          chunks.push(chunk);
-        }
-      });
-      
-      request.on('end', () => {
-        if (size > maxSize) {
-          resolve({ 
-            captured: false, 
-            reason: `Body too large (${size} bytes > ${maxSize} bytes)`,
-            size 
-          });
-          return;
-        }
-        
-        body = Buffer.concat(chunks).toString('utf8');
-        
-        // Parse based on content type
-        if (contentType.includes('application/json')) {
-          try {
-            const parsed = JSON.parse(body);
-            resolve({ 
-              captured: true, 
-              type: 'json', 
-              body: parsed,
-              size 
-            });
-          } catch (e) {
-            resolve({ 
-              captured: true, 
-              type: 'json', 
-              body: body.substring(0, 1000),
-              parseError: true,
-              size 
-            });
-          }
-        } else if (contentType.includes('application/graphql')) {
-          // GraphQL queries need redaction too!
-          resolve({ 
-            captured: true, 
-            type: 'graphql', 
-            body: body,  // Will be redacted later
-            size 
-          });
-        } else if (contentType.includes('multipart/form-data')) {
-          // Multipart is NOT captured (files can be huge)
-          resolve({ 
-            captured: false, 
-            type: 'multipart', 
-            reason: 'Multipart data not captured (file uploads)',
-            size 
-          });
-        } else if (contentType.includes('application/x-www-form-urlencoded')) {
-          try {
-            const params = new URLSearchParams(body);
-            const parsed = Object.fromEntries(params);
-            resolve({ 
-              captured: true, 
-              type: 'form', 
-              body: parsed,
-              size 
-            });
-          } catch (e) {
-            resolve({ 
-              captured: true, 
-              type: 'form', 
-              body: body.substring(0, 1000),
-              size 
-            });
-          }
-        } else {
-          resolve({ 
-            captured: true, 
-            type: 'text', 
-            body: body.substring(0, 1000),
-            size 
-          });
-        }
-      });
-      
-      request.on('error', () => {
-        resolve({ captured: false, reason: 'Stream error' });
-      });
-      
-      // Timeout after 100ms
-      setTimeout(() => {
-        resolve({ captured: false, reason: 'Timeout' });
-      }, 100);
-    });
-  } catch (error) {
-    return { captured: false, reason: error.message };
-  }
-}
-
 /**
  * Register SecureNow OpenTelemetry for Next.js using @vercel/otel
  * @param {Object} options - Optional configuration
@@ -245,9 +157,9 @@ function registerSecureNow(options = {}) {
     // service.name
     let serviceName;
     if (baseName) {
-      serviceName = noUuid ? baseName : `${baseName}-${uuidv4()}`;
+      serviceName = noUuid ? baseName : `${baseName}-${randomUUID()}`;
     } else {
-      serviceName = `nextjs-app-${uuidv4()}`;
+      serviceName = `nextjs-app-${randomUUID()}`;
       console.warn('[securenow] ⚠️  No SECURENOW_APPID or OTEL_SERVICE_NAME provided. Using fallback: %s', serviceName);
       console.warn('[securenow] 💡 Set SECURENOW_APPID=your-app-name in .env.local for better tracking');
     }
@@ -261,17 +173,11 @@ function registerSecureNow(options = {}) {
     ).replace(/\/$/, '');
     
     const tracesUrl = env('OTEL_EXPORTER_OTLP_TRACES_ENDPOINT') || `${endpointBase}/v1/traces`;
-    const logsUrl   = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT')   || `${endpointBase}/v1/logs`;
-
-    // Set environment variables for @vercel/otel to pick up
-    process.env.OTEL_SERVICE_NAME = serviceName;
-    process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
-    process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
+    const logsUrl = env('OTEL_EXPORTER_OTLP_LOGS_ENDPOINT') || `${endpointBase}/v1/logs`;
 
-    // -------- Logging Configuration --------
-    // Opt-in: SECURENOW_LOGGING_ENABLED=1 (or "true").
-    const loggingEnabled = String(env('SECURENOW_LOGGING_ENABLED')) === '1' ||
-                           String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() === 'true';
+    if (!process.env.OTEL_SERVICE_NAME) process.env.OTEL_SERVICE_NAME = serviceName;
+    if (!process.env.OTEL_EXPORTER_OTLP_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_ENDPOINT = endpointBase;
+    if (!process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT) process.env.OTEL_EXPORTER_OTLP_TRACES_ENDPOINT = tracesUrl;
 
     console.log('[securenow] 🚀 Next.js App → service.name=%s', serviceName);
 
@@ -279,7 +185,7 @@ function registerSecureNow(options = {}) {
     const captureBody = String(env('SECURENOW_CAPTURE_BODY')) === '1' || 
                        String(env('SECURENOW_CAPTURE_BODY')).toLowerCase() === 'true' ||
                        options.captureBody === true;
-    const maxBodySize = parseInt(env('SECURENOW_MAX_BODY_SIZE') || '10240'); // 10KB default
+    const maxBodySize = Math.max(1024, parseInt(env('SECURENOW_MAX_BODY_SIZE'), 10) || 10240);
     const customSensitiveFields = (env('SECURENOW_SENSITIVE_FIELDS') || '').split(',').map(s => s.trim()).filter(Boolean);
     const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
 
@@ -313,14 +219,19 @@ function registerSecureNow(options = {}) {
           const clientIp = headers['x-client-ip'];
           const socketIp = request.socket?.remoteAddress;
           
-          // Primary IP (first in chain is the real client)
-          const primaryIp = 
-            (forwardedFor ? forwardedFor.split(',')[0]?.trim() : null) ||
-            realIp ||
-            cfConnectingIp ||
-            clientIp ||
-            socketIp ||
-            'unknown';
+          const PRIVATE_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
+          const isProxied = socketIp && PRIVATE_RE.test(socketIp);
+          let primaryIp = socketIp || 'unknown';
+          if (isProxied) {
+            if (forwardedFor) {
+              const chain = forwardedFor.split(',').map(s => s.trim()).filter(Boolean);
+              for (let i = chain.length - 1; i >= 0; i--) {
+                if (!PRIVATE_RE.test(chain[i])) { primaryIp = chain[i]; break; }
+              }
+            } else {
+              primaryIp = realIp || cfConnectingIp || clientIp || primaryIp;
+            }
+          }
           
           // ======== PROTOCOL & CONNECTION ========
           const scheme = headers['x-forwarded-proto'] || 
@@ -456,6 +367,44 @@ function registerSecureNow(options = {}) {
       },
     });
     
+    // -------- Guard against OTLP exporter socket errors --------
+    // The OTLP HTTP exporter uses keep-alive connections that can be reset by
+    // the remote end (ECONNRESET / "socket hang up"). These transient errors
+    // sometimes escape as unhandled exceptions or rejections. We catch them
+    // here and log at debug level instead of crashing the host app.
+    const _TRANSIENT_CODES = new Set(['ECONNRESET', 'ECONNREFUSED', 'ETIMEDOUT', 'EPIPE', 'EAI_AGAIN']);
+    function _isOtlpTransientError(err) {
+      if (!err) return false;
+      if (_TRANSIENT_CODES.has(err.code)) return true;
+      if (typeof err.message === 'string' && /socket hang up|ECONNRESET/.test(err.message)) return true;
+      return false;
+    }
+    function _looksLikeOtlpStack(err) {
+      const s = err && err.stack;
+      if (!s) return false;
+      return /OTLPTraceExporter|OTLPLogExporter|otlp|exporter.*http|BatchSpanProcessor|BatchLogRecordProcessor/i.test(s)
+        || /node:_http_client|ClientRequest|TLSSocket/i.test(s);
+    }
+    const _diagDebug = (env('OTEL_LOG_LEVEL') || '').toLowerCase() === 'debug';
+    process.on('uncaughtException', (err, origin) => {
+      if (_isOtlpTransientError(err) && _looksLikeOtlpStack(err)) {
+        if (_diagDebug) {
+          console.debug('[securenow] Suppressed transient OTLP exporter error (%s): %s', origin, err.message);
+        }
+        return;
+      }
+      throw err;
+    });
+    process.on('unhandledRejection', (reason) => {
+      if (_isOtlpTransientError(reason) && _looksLikeOtlpStack(reason)) {
+        if (_diagDebug) {
+          console.debug('[securenow] Suppressed transient OTLP exporter rejection: %s', reason && reason.message);
+        }
+        return;
+      }
+      throw reason;
+    });
+
     if (isVercel) {
       // -------- Vercel Environment: Use @vercel/otel --------
       const { registerOTel } = require('@vercel/otel');
@@ -510,70 +459,126 @@ function registerSecureNow(options = {}) {
       
       sdk.start();
       console.log('[securenow] 🎯 Vanilla SDK initialized for self-hosted environment');
-    }
 
-    // -------- Logging pipeline (both Vercel and self-hosted) --------
-    // Neither @vercel/otel nor NodeSDK 0.47.x wires OTLP logs for us, so we
-    // create the LoggerProvider ourselves, register a BatchLogRecordProcessor
-    // (addLogRecordProcessor — the `processors` constructor option was only
-    // added in sdk-logs 0.52 and is silently ignored in 0.47), publish it as
-    // the global logger provider, and auto-patch console.* to emit records.
-    if (loggingEnabled) {
-      const { LoggerProvider, BatchLogRecordProcessor } = require('@opentelemetry/sdk-logs');
-      const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
-      const { logs } = require('@opentelemetry/api-logs');
-      const { Resource } = require('@opentelemetry/resources');
-      const { SemanticResourceAttributes } = require('@opentelemetry/semantic-conventions');
+      // -------- Logging (self-hosted only) --------
+      const loggingEnabled = String(env('SECURENOW_LOGGING_ENABLED')) === '1' || String(env('SECURENOW_LOGGING_ENABLED')).toLowerCase() === 'true';
+      if (loggingEnabled) {
+        try {
+          const { OTLPLogExporter } = require('@opentelemetry/exporter-logs-otlp-http');
+          const { LoggerProvider, BatchLogRecordProcessor } = require('@opentelemetry/sdk-logs');
 
-      const logResource = new Resource({
-        [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
-        [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: env('NODE_ENV') || env('VERCEL_ENV') || 'production',
-        [SemanticResourceAttributes.SERVICE_VERSION]: process.env.npm_package_version || process.env.VERCEL_GIT_COMMIT_SHA || undefined,
-      });
+          const logExporter = new OTLPLogExporter({
+            url: logsUrl,
+            headers: parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS')),
+          });
 
-      const logExporter = new OTLPLogExporter({
-        url: logsUrl,
-        headers: parseHeaders(env('OTEL_EXPORTER_OTLP_HEADERS')),
-      });
-      const loggerProvider = new LoggerProvider({ resource: logResource });
-      loggerProvider.addLogRecordProcessor(new BatchLogRecordProcessor(logExporter));
-      logs.setGlobalLoggerProvider(loggerProvider);
-
-      const _logger = loggerProvider.getLogger('console', '1.0.0');
-      const _orig = { log: console.log, info: console.info, warn: console.warn, error: console.error, debug: console.debug };
-      const SEV = { DEBUG: 5, INFO: 9, WARN: 13, ERROR: 17 };
-      const _emit = (sn, st, args) => {
-        try {
-          _logger.emit({
-            severityNumber: sn,
-            severityText: st,
-            body: args.map(a => (typeof a === 'object' && a !== null)
-              ? (() => { try { return JSON.stringify(a); } catch { return String(a); } })()
-              : String(a)).join(' '),
-            attributes: { 'log.source': 'console', 'log.method': st.toLowerCase() },
+          const loggerProvider = new LoggerProvider({
+            resource: new Resource({
+              [SemanticResourceAttributes.SERVICE_NAME]: serviceName,
+              [SemanticResourceAttributes.DEPLOYMENT_ENVIRONMENT]: env('NODE_ENV') || 'production',
+            }),
           });
-        } catch (_) {}
-      };
-      console.log   = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.log.apply(console, a); };
-      console.info  = function (...a) { _emit(SEV.INFO,  'INFO',  a); _orig.info.apply(console, a); };
-      console.warn  = function (...a) { _emit(SEV.WARN,  'WARN',  a); _orig.warn.apply(console, a); };
-      console.error = function (...a) { _emit(SEV.ERROR, 'ERROR', a); _orig.error.apply(console, a); };
-      console.debug = function (...a) { _emit(SEV.DEBUG, 'DEBUG', a); _orig.debug.apply(console, a); };
-
-      const _shutdownLogs = async () => {
-        try { await Promise.resolve(loggerProvider.forceFlush?.()); } catch (_) {}
-        try { await Promise.resolve(loggerProvider.shutdown?.()); } catch (_) {}
-      };
-      process.on('SIGINT',  _shutdownLogs);
-      process.on('SIGTERM', _shutdownLogs);
-      process.on('beforeExit', _shutdownLogs);
-
-      console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
-    } else {
-      console.log('[securenow] 📋 Logging: DISABLED (set SECURENOW_LOGGING_ENABLED=1 to enable)');
+          loggerProvider.addLogRecordProcessor(new BatchLogRecordProcessor(logExporter));
+
+          // Patch console to forward logs as OTLP log records
+          const logger = loggerProvider.getLogger('console', '1.0.0');
+          const SeverityNumber = { INFO: 9, WARN: 13, ERROR: 17 };
+          const origLog = console.log;
+          const origWarn = console.warn;
+          const origError = console.error;
+
+          const { context: otelContext, trace: otelTrace } = require('@opentelemetry/api');
+          function _emitLog(sn, st, args) {
+            try {
+              const activeCtx = otelContext.active();
+              const spanCtx = otelTrace.getSpanContext(activeCtx);
+              logger.emit({
+                severityNumber: sn,
+                severityText: st,
+                body: args.map(String).join(' '),
+                ...(spanCtx && { context: activeCtx }),
+              });
+            } catch (_) {}
+          }
+          console.log = (...args) => {
+            origLog.apply(console, args);
+            _emitLog(SeverityNumber.INFO, 'INFO', args);
+          };
+          console.warn = (...args) => {
+            origWarn.apply(console, args);
+            _emitLog(SeverityNumber.WARN, 'WARN', args);
+          };
+          console.error = (...args) => {
+            origError.apply(console, args);
+            _emitLog(SeverityNumber.ERROR, 'ERROR', args);
+          };
+
+          console.log('[securenow] 📋 Logging: ENABLED → %s', logsUrl);
+
+          // Auto-log every incoming HTTP request/response
+          try {
+            const http = require('http');
+            const originalEmit = http.Server.prototype.emit;
+            http.Server.prototype.emit = function (event, req, res) {
+              if (event === 'request' && req && res) {
+                const start = Date.now();
+                const method = req.method;
+                const url = req.url;
+                res.on('finish', () => {
+                  const reqCtx = otelContext.active();
+                  const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
+                  const duration = Date.now() - start;
+                  const status = res.statusCode;
+                  const ip = req.headers['x-forwarded-for'] || req.headers['x-real-ip'] || req.socket?.remoteAddress || '-';
+                  const ua = req.headers['user-agent'] || '-';
+                  const body = `${method} ${url} ${status} ${duration}ms ip=${ip} ua=${ua}`;
+                  const severity = status >= 500 ? SeverityNumber.ERROR : status >= 400 ? SeverityNumber.WARN : SeverityNumber.INFO;
+                  const severityText = status >= 500 ? 'ERROR' : status >= 400 ? 'WARN' : 'INFO';
+                  origLog.call(console, '[securenow] %s %s %d %dms', method, url, status, duration);
+                  try {
+                    logger.emit({
+                      severityNumber: severity,
+                      severityText,
+                      body,
+                      attributes: {
+                        'http.method': method,
+                        'http.url': url,
+                        'http.status_code': status,
+                        'http.duration_ms': duration,
+                        'http.client_ip': String(ip).split(',')[0].trim(),
+                        'http.user_agent': ua,
+                      },
+                      ...(reqSpanCtx && { context: reqCtx }),
+                    });
+                  } catch (_) {}
+                });
+              }
+              return originalEmit.apply(this, arguments);
+            };
+            console.log('[securenow] 📋 HTTP request logging: ENABLED');
+          } catch (_) {}
+
+          // Graceful shutdown for logs
+          process.on('SIGTERM', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { require('./firewall').shutdown(); } catch (_) {} });
+          process.on('SIGINT', async () => { try { await loggerProvider.shutdown(); } catch (_) {} try { require('./firewall').shutdown(); } catch (_) {} });
+        } catch (e) {
+          console.warn('[securenow] ⚠️  Logging setup failed (missing @opentelemetry/exporter-logs-otlp-http or @opentelemetry/sdk-logs):', e.message);
+        }
+      } else {
+        console.log('[securenow] 📋 Logging: DISABLED (set SECURENOW_LOGGING_ENABLED=1 to enable)');
+      }
     }
 
     isRegistered = true;
+
+    // Free trial banner (optional — may not be bundled in standalone builds)
+    try {
+      const { isFreeTrial, patchHttpForBanner } = require('./free-trial-banner');
+      if (isFreeTrial(endpointBase) && String(env('SECURENOW_HIDE_BANNER')) !== '1') {
+        patchHttpForBanner();
+      }
+    } catch (_) {}
+
     console.log('[securenow] ✅ OpenTelemetry started for Next.js → %s', tracesUrl);
     console.log('[securenow] 📊 Auto-capturing comprehensive request metadata:');
     console.log('[securenow]    • IP addresses (x-forwarded-for, x-real-ip, socket)');
@@ -605,6 +610,27 @@ function registerSecureNow(options = {}) {
       console.error('[securenow] Make sure OpenTelemetry dependencies are installed');
     }
   }
+
+  // Firewall — runs independently from OTel so it works even if tracing fails
+  const firewallApiKey = env('SECURENOW_API_KEY');
+  if (firewallApiKey && env('SECURENOW_FIREWALL_ENABLED') !== '0') {
+    try {
+      require('./firewall').init({
+        apiKey: firewallApiKey,
+        apiUrl: env('SECURENOW_API_URL') || 'https://api.securenow.ai',
+        versionCheckInterval: parseInt(env('SECURENOW_FIREWALL_VERSION_INTERVAL'), 10) || 10,
+        syncInterval: parseInt(env('SECURENOW_FIREWALL_SYNC_INTERVAL'), 10) || 300,
+        failMode: env('SECURENOW_FIREWALL_FAIL_MODE') || 'open',
+        statusCode: parseInt(env('SECURENOW_FIREWALL_STATUS_CODE'), 10) || 403,
+        log: env('SECURENOW_FIREWALL_LOG') !== '0',
+        tcp: env('SECURENOW_FIREWALL_TCP') === '1',
+        iptables: env('SECURENOW_FIREWALL_IPTABLES') === '1',
+        cloud: env('SECURENOW_FIREWALL_CLOUD') || null,
+      });
+    } catch (e) {
+      console.warn('[securenow] Firewall init failed:', e.message);
+    }
+  }
 }
 
 module.exports = {