securenow 6.0.2 → 6.1.0

package/free-trial-banner.js

@@ -0,0 +1,174 @@
+'use strict';
+
+/**
+ * Free Trial Banner — auto-injects a visible "Testing Environment" banner
+ * into HTML pages served by apps using the SecureNow free trial instance.
+ *
+ * Opt-out: set SECURENOW_HIDE_BANNER=1
+ */
+
+const FREETRIAL_HOST = 'freetrial.securenow.ai';
+
+function isFreeTrial(endpointBase) {
+  return !!endpointBase && endpointBase.includes(FREETRIAL_HOST);
+}
+
+/* istanbul ignore next — runs in browser, not Node */
+function _bannerClientCode() {
+  if (window.__snBanner) return;
+  window.__snBanner = 1;
+
+  function create() {
+    if (document.getElementById('sn-ft-banner')) return;
+
+    var d = document.createElement('div');
+    d.id = 'sn-ft-banner';
+    d.style.cssText =
+      'position:fixed;top:0;left:0;right:0;z-index:2147483647;' +
+      'background:#FEF3CD;color:#856404;padding:10px 16px;' +
+      'font-family:system-ui,-apple-system,sans-serif;font-size:13px;' +
+      'text-align:center;border-bottom:2px solid #FFE69C;' +
+      'display:flex;align-items:center;justify-content:center;gap:6px;' +
+      'box-shadow:0 2px 8px rgba(0,0,0,0.12)';
+
+    var icon = document.createElement('span');
+    icon.textContent = '\u26a0\ufe0f';
+    d.appendChild(icon);
+
+    var msg = document.createElement('span');
+    var strong = document.createElement('strong');
+    strong.textContent = 'Testing Environment:';
+    msg.appendChild(strong);
+    msg.appendChild(document.createTextNode(
+      ' Only add test applications. For production usage, '
+    ));
+
+    var link = document.createElement('a');
+    link.href = 'https://app.securenow.ai/dashboard/settings/instances';
+    link.target = '_blank';
+    link.rel = 'noopener';
+    link.style.cssText = 'color:#664D03;font-weight:600;text-decoration:underline';
+    link.textContent = 'create a new production instance';
+    msg.appendChild(link);
+    msg.appendChild(document.createTextNode('.'));
+    d.appendChild(msg);
+
+    var upgradeBtn = document.createElement('a');
+    upgradeBtn.href = 'https://app.securenow.ai/dashboard/settings/instances';
+    upgradeBtn.target = '_blank';
+    upgradeBtn.rel = 'noopener';
+    upgradeBtn.textContent = '\u26a1 Upgrade';
+    upgradeBtn.style.cssText =
+      'display:inline-flex;align-items:center;gap:4px;' +
+      'background:#D97706;color:#fff;padding:4px 12px;border-radius:4px;' +
+      'font-size:12px;font-weight:600;text-decoration:none;margin-left:10px;' +
+      'white-space:nowrap;transition:background 0.15s';
+    upgradeBtn.onmouseover = function () { upgradeBtn.style.background = '#B45309'; };
+    upgradeBtn.onmouseout = function () { upgradeBtn.style.background = '#D97706'; };
+    d.appendChild(upgradeBtn);
+
+    var close = document.createElement('button');
+    close.textContent = '\u00d7';
+    close.style.cssText =
+      'background:none;border:none;color:#856404;font-size:18px;' +
+      'cursor:pointer;margin-left:12px;padding:0 4px;line-height:1';
+    close.onclick = function () { d.style.display = 'none'; };
+    d.appendChild(close);
+
+    document.body.prepend(d);
+  }
+
+  if (document.readyState === 'loading') {
+    document.addEventListener('DOMContentLoaded', create);
+  } else {
+    create();
+  }
+}
+
+var BANNER_SCRIPT =
+  '<script data-securenow-banner>(' +
+  _bannerClientCode.toString() +
+  ')()</scr' + 'ipt>';
+
+/**
+ * Monkey-patch http.ServerResponse to inject the banner script into HTML
+ * responses. Searches for `<head...>` and inserts the script right after it.
+ * Skips compressed responses and non-HTML content types.
+ */
+function patchHttpForBanner() {
+  try {
+    var http = require('http');
+    var _origWrite = http.ServerResponse.prototype.write;
+    var _origEnd   = http.ServerResponse.prototype.end;
+
+    function maybeInject(res, chunk) {
+      if (res._snBannerDone || !chunk) return chunk;
+
+      if (res._snIsHtml === undefined) {
+        var ct = res.getHeader('content-type');
+        var ce = res.getHeader('content-encoding');
+        var csp = res.getHeader('content-security-policy');
+        res._snIsHtml = !!(ct && String(ct).includes('text/html') && !ce && !csp);
+      }
+      if (!res._snIsHtml) {
+        res._snBannerDone = true;
+        return chunk;
+      }
+
+      var isStr = typeof chunk === 'string';
+      var isBuf = Buffer.isBuffer(chunk);
+      if (!isStr && !isBuf) return chunk;
+
+      var str = isStr ? chunk : chunk.toString('utf8');
+      var headIdx = str.indexOf('<head');
+      if (headIdx === -1) return chunk;
+
+      var gt = str.indexOf('>', headIdx);
+      if (gt === -1) return chunk;
+
+      res._snBannerDone = true;
+      var result = str.slice(0, gt + 1) + BANNER_SCRIPT + str.slice(gt + 1);
+      return isStr ? result : Buffer.from(result, 'utf8');
+    }
+
+    http.ServerResponse.prototype.write = function (chunk, encoding, cb) {
+      try {
+        var modified = maybeInject(this, chunk);
+        if (modified !== chunk) {
+          var enc = typeof encoding === 'function' ? 'utf8' : encoding;
+          var callback = typeof encoding === 'function' ? encoding : cb;
+          try {
+            if (this.getHeader('content-length')) {
+              this.setHeader('content-length', Buffer.byteLength(modified));
+            }
+          } catch (_) { /* headers already sent */ }
+          return _origWrite.call(this, modified, enc, callback);
+        }
+      } catch (_) { /* never break the app */ }
+      return _origWrite.call(this, chunk, encoding, cb);
+    };
+
+    http.ServerResponse.prototype.end = function (chunk, encoding, cb) {
+      try {
+        var modified = maybeInject(this, chunk);
+        if (modified !== chunk) {
+          var enc = typeof encoding === 'function' ? 'utf8' : encoding;
+          var callback = typeof encoding === 'function' ? encoding : cb;
+          try {
+            if (this.getHeader('content-length')) {
+              this.setHeader('content-length', Buffer.byteLength(modified));
+            }
+          } catch (_) { /* headers already sent */ }
+          return _origEnd.call(this, modified, enc, callback);
+        }
+      } catch (_) { /* never break the app */ }
+      return _origEnd.call(this, chunk, encoding, cb);
+    };
+
+    console.log('[securenow] Free trial banner injection enabled');
+  } catch (err) {
+    console.warn('[securenow] Could not setup free trial banner:', err.message);
+  }
+}
+
+module.exports = { isFreeTrial, patchHttpForBanner, BANNER_SCRIPT };

package/nextjs-auto-capture.js

@@ -1,207 +1,199 @@
-/**
- * SecureNow Next.js Automatic Body Capture
- * 
- * This module automatically patches Next.js request handling to capture bodies
- * WITHOUT requiring customers to wrap their handlers or change their code.
- * 
- * Usage in instrumentation.ts:
- * 
- * import { registerSecureNow } from 'securenow/nextjs';
- * import 'securenow/nextjs-auto-capture'; // Just import this line!
- * 
- * export function register() {
- *   registerSecureNow();
- * }
- * 
- * That's it! Bodies are now captured automatically.
- */
-
-const { trace } = require('@opentelemetry/api');
-
-// Default sensitive fields to redact
-const DEFAULT_SENSITIVE_FIELDS = [
-  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
-  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
-  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
-];
-
-/**
- * Redact sensitive fields from an object
- */
-function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!obj || typeof obj !== 'object') return obj;
-  
-  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  
-  for (const key in redacted) {
-    const lowerKey = key.toLowerCase();
-    
-    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
-      redacted[key] = '[REDACTED]';
-    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
-      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
-    }
-  }
-  
-  return redacted;
-}
-
-/**
- * Safe body capture that doesn't interfere with Next.js
- */
-async function safeBodyCapture(request, span) {
-  if (!span) return;
-  
-  try {
-    const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = parseInt(process.env.SECURENOW_MAX_BODY_SIZE || '10240');
-    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
-    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
-    
-    // Only for supported types
-    if (!contentType.includes('application/json') && 
-        !contentType.includes('application/graphql') &&
-        !contentType.includes('application/x-www-form-urlencoded')) {
-      return;
-    }
-    
-    // Try to read from cache if available (Next.js may have already read it)
-    let bodyText;
-    
-    // Attempt 1: Check if body was already cached by Next.js
-    if (request._bodyText) {
-      bodyText = request._bodyText;
-    } else {
-      // Attempt 2: Try to clone and read
-      try {
-        const cloned = request.clone();
-        bodyText = await cloned.text();
-        // Cache it for Next.js
-        request._bodyText = bodyText;
-      } catch (e) {
-        // If clone fails, body was already consumed - skip silently
-        return;
-      }
-    }
-    
-    if (bodyText.length > maxBodySize) {
-      span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
-      return;
-    }
-    
-    // Parse and redact
-    if (contentType.includes('application/json') || contentType.includes('application/graphql')) {
-      try {
-        const parsed = JSON.parse(bodyText);
-        const redacted = redactSensitiveData(parsed, allSensitiveFields);
-        span.setAttributes({
-          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
-          'http.request.body.size': bodyText.length,
-        });
-      } catch (e) {
-        // Parse error - skip
-      }
-    } else if (contentType.includes('application/x-www-form-urlencoded')) {
-      try {
-        const params = new URLSearchParams(bodyText);
-        const parsed = Object.fromEntries(params);
-        const redacted = redactSensitiveData(parsed, allSensitiveFields);
-        span.setAttributes({
-          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-          'http.request.body.type': 'form',
-          'http.request.body.size': bodyText.length,
-        });
-      } catch (e) {
-        // Parse error - skip
-      }
-    }
-  } catch (error) {
-    // Silently fail - never break the request
-  }
-}
-
-/**
- * Check if body capture is enabled
- */
-function isBodyCaptureEnabled() {
-  const enabled = String(process.env.SECURENOW_CAPTURE_BODY) === '1' || 
-                  String(process.env.SECURENOW_CAPTURE_BODY).toLowerCase() === 'true';
-  return enabled;
-}
-
-/**
- * Patch Next.js Request to cache body text
- * This allows us to read the body without consuming it
- */
-function patchNextRequest() {
-  if (typeof Request === 'undefined') return;
-  
-  const originalText = Request.prototype.text;
-  const originalJson = Request.prototype.json;
-  const originalFormData = Request.prototype.formData;
-  
-  // Patch text() to cache result
-  Request.prototype.text = async function() {
-    if (this._bodyText !== undefined) {
-      return this._bodyText;
-    }
-    const text = await originalText.call(this);
-    this._bodyText = text;
-    
-    // Capture for tracing if enabled
-    if (isBodyCaptureEnabled() && ['POST', 'PUT', 'PATCH'].includes(this.method)) {
-      const span = trace.getActiveSpan();
-      if (span) {
-        // Schedule capture after this call (non-blocking)
-        setImmediate(() => {
-          safeBodyCapture(this, span).catch(() => {});
-        });
-      }
-    }
-    
-    return text;
-  };
-  
-  // Patch json() to cache and capture
-  Request.prototype.json = async function() {
-    // First get text
-    const text = await this.text();
-    // Then parse
-    return JSON.parse(text);
-  };
-  
-  // Patch formData() to cache and capture  
-  Request.prototype.formData = async function() {
-    const text = await this.text();
-    const params = new URLSearchParams(text);
-    return params;
-  };
-  
-  console.log('[securenow] ✅ Auto-capture: Patched Next.js Request for automatic body capture');
-}
-
-// Auto-patch when module is imported
-if (isBodyCaptureEnabled()) {
-  try {
-    patchNextRequest();
-    console.log('[securenow] 📝 Automatic body capture: ENABLED');
-    console.log('[securenow] 💡 No code changes needed - bodies captured automatically!');
-  } catch (error) {
-    console.warn('[securenow] ⚠️  Auto-capture patch failed:', error.message);
-    console.warn('[securenow] 💡 Body capture disabled. Use manual approach if needed.');
-  }
-} else {
-  console.log('[securenow] 📝 Automatic body capture: DISABLED (set SECURENOW_CAPTURE_BODY=1 to enable)');
-}
-
-module.exports = {
-  patchNextRequest,
-  safeBodyCapture,
-  redactSensitiveData,
-  isBodyCaptureEnabled,
-};
-
-
-
-
+/**
+ * SecureNow Next.js Automatic Body Capture
+ * 
+ * This module automatically patches Next.js request handling to capture bodies
+ * WITHOUT requiring customers to wrap their handlers or change their code.
+ * 
+ * Usage in instrumentation.ts:
+ * 
+ * import { registerSecureNow } from 'securenow/nextjs';
+ * import 'securenow/nextjs-auto-capture'; // Just import this line!
+ * 
+ * export function register() {
+ *   registerSecureNow();
+ * }
+ * 
+ * That's it! Bodies are now captured automatically.
+ */
+
+const { trace } = require('@opentelemetry/api');
+
+// Default sensitive fields to redact
+const DEFAULT_SENSITIVE_FIELDS = [
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
+];
+
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  
+  for (const key of Object.keys(redacted)) {
+    const lowerKey = key.toLowerCase();
+    
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    }
+  }
+  
+  return redacted;
+}
+
+/**
+ * Safe body capture that doesn't interfere with Next.js
+ */
+async function safeBodyCapture(request, span) {
+  if (!span) return;
+  
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    const maxBodySize = Math.max(1024, parseInt(process.env.SECURENOW_MAX_BODY_SIZE, 10) || 10240);
+    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    
+    // Only for supported types
+    if (!contentType.includes('application/json') && 
+        !contentType.includes('application/graphql') &&
+        !contentType.includes('application/x-www-form-urlencoded')) {
+      return;
+    }
+    
+    // Try to read from cache if available (Next.js may have already read it)
+    let bodyText;
+    
+    // Attempt 1: Check if body was already cached by Next.js
+    if (request._bodyText) {
+      bodyText = request._bodyText;
+    } else {
+      // Attempt 2: Try to clone and read
+      try {
+        const cloned = request.clone();
+        bodyText = await cloned.text();
+        // Cache it for Next.js
+        request._bodyText = bodyText;
+      } catch (e) {
+        // If clone fails, body was already consumed - skip silently
+        return;
+      }
+    }
+    
+    if (bodyText.length > maxBodySize) {
+      span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
+      return;
+    }
+    
+    // Parse and redact
+    if (contentType.includes('application/json') || contentType.includes('application/graphql')) {
+      try {
+        const parsed = JSON.parse(bodyText);
+        const redacted = redactSensitiveData(parsed, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
+          'http.request.body.size': bodyText.length,
+        });
+      } catch (e) {
+        // Parse error - skip
+      }
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      try {
+        const params = new URLSearchParams(bodyText);
+        const parsed = Object.fromEntries(params);
+        const redacted = redactSensitiveData(parsed, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+          'http.request.body.type': 'form',
+          'http.request.body.size': bodyText.length,
+        });
+      } catch (e) {
+        // Parse error - skip
+      }
+    }
+  } catch (error) {
+    // Silently fail - never break the request
+  }
+}
+
+/**
+ * Check if body capture is enabled
+ */
+function isBodyCaptureEnabled() {
+  const enabled = String(process.env.SECURENOW_CAPTURE_BODY) === '1' || 
+                  String(process.env.SECURENOW_CAPTURE_BODY).toLowerCase() === 'true';
+  return enabled;
+}
+
+/**
+ * Patch Next.js Request to cache body text
+ * This allows us to read the body without consuming it
+ */
+function patchNextRequest() {
+  if (typeof Request === 'undefined') return;
+  
+  const originalText = Request.prototype.text;
+  const originalJson = Request.prototype.json;
+  
+  // Patch text() to cache result
+  Request.prototype.text = async function() {
+    if (this._bodyText !== undefined) {
+      return this._bodyText;
+    }
+    const text = await originalText.call(this);
+    this._bodyText = text;
+    
+    // Capture for tracing if enabled
+    if (isBodyCaptureEnabled() && ['POST', 'PUT', 'PATCH'].includes(this.method)) {
+      const span = trace.getActiveSpan();
+      if (span) {
+        // Schedule capture after this call (non-blocking)
+        setImmediate(() => {
+          safeBodyCapture(this, span).catch(() => {});
+        });
+      }
+    }
+    
+    return text;
+  };
+  
+  // Patch json() to cache and capture
+  Request.prototype.json = async function() {
+    // First get text
+    const text = await this.text();
+    // Then parse
+    return JSON.parse(text);
+  };
+  
+  console.log('[securenow] ✅ Auto-capture: Patched Next.js Request for automatic body capture');
+}
+
+// Auto-patch when module is imported
+if (isBodyCaptureEnabled()) {
+  try {
+    patchNextRequest();
+    console.log('[securenow] 📝 Automatic body capture: ENABLED');
+    console.log('[securenow] 💡 No code changes needed - bodies captured automatically!');
+  } catch (error) {
+    console.warn('[securenow] ⚠️  Auto-capture patch failed:', error.message);
+    console.warn('[securenow] 💡 Body capture disabled. Use manual approach if needed.');
+  }
+} else {
+  console.log('[securenow] 📝 Automatic body capture: DISABLED (set SECURENOW_CAPTURE_BODY=1 to enable)');
+}
+
+module.exports = {
+  patchNextRequest,
+  safeBodyCapture,
+  redactSensitiveData,
+  isBodyCaptureEnabled,
+};
+
+
+
+