securenow 6.0.2 → 6.1.0

package/nextjs-middleware.js

@@ -1,181 +1,186 @@
-/**
- * SecureNow Next.js Middleware for Body Capture
- * 
- * OPTIONAL: Import this in your Next.js app to enable automatic body capture
- * 
- * Usage:
- * 
- * Create middleware.ts in your Next.js app root:
- * 
- * export { middleware } from 'securenow/nextjs-middleware';
- * export const config = {
- *   matcher: '/api/:path*',  // Apply to API routes only
- * };
- * 
- * That's it! Bodies are now captured with sensitive data redacted.
- */
-
-const { trace, context, SpanStatusCode } = require('@opentelemetry/api');
-
-// Default sensitive fields to redact
-const DEFAULT_SENSITIVE_FIELDS = [
-  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
-  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
-  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
-];
-
-/**
- * Redact sensitive fields from an object
- */
-function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!obj || typeof obj !== 'object') return obj;
-  
-  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  
-  for (const key in redacted) {
-    const lowerKey = key.toLowerCase();
-    
-    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
-      redacted[key] = '[REDACTED]';
-    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
-      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
-    }
-  }
-  
-  return redacted;
-}
-
-/**
- * Redact sensitive data from GraphQL query strings
- */
-function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!query || typeof query !== 'string') return query;
-  
-  let redacted = query;
-  
-  sensitiveFields.forEach(field => {
-    const patterns = [
-      new RegExp(`(${field}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
-      new RegExp(`(${field}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
-    ];
-    
-    patterns.forEach(pattern => {
-      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
-        return suffix ? `${prefix}[REDACTED]${suffix}` : `${prefix}[REDACTED]`;
-      });
-    });
-  });
-  
-  return redacted;
-}
-
-/**
- * Next.js Middleware for Body Capture
- */
-async function middleware(request) {
-  const { NextResponse } = require('next/server');
-  
-  // Only capture for POST/PUT/PATCH
-  if (!['POST', 'PUT', 'PATCH'].includes(request.method)) {
-    return NextResponse.next();
-  }
-  
-  // Get or create a tracer
-  const tracer = trace.getTracer('securenow-middleware');
-  let span = trace.getActiveSpan();
-  let createdSpan = false;
-  
-  // If no active span, create one for this middleware
-  if (!span) {
-    const url = new URL(request.url);
-    span = tracer.startSpan(`middleware ${request.method} ${url.pathname}`);
-    createdSpan = true;
-  }
-  
-  try {
-    const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = parseInt(process.env.SECURENOW_MAX_BODY_SIZE || '10240');
-    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
-    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
-    
-    // Only capture supported types
-    if (contentType.includes('application/json') || 
-        contentType.includes('application/graphql')) {
-      
-      // Clone the request to read body without consuming the original
-      const clonedRequest = request.clone();
-      const bodyText = await clonedRequest.text();
-      
-      if (bodyText.length <= maxBodySize) {
-        let redactedBody;
-        
-        if (contentType.includes('application/graphql')) {
-          // GraphQL: redact query string
-          redactedBody = redactGraphQLQuery(bodyText, allSensitiveFields);
-        } else {
-          // JSON: parse and redact
-          try {
-            const parsed = JSON.parse(bodyText);
-            const redacted = redactSensitiveData(parsed, allSensitiveFields);
-            redactedBody = JSON.stringify(redacted);
-          } catch (e) {
-            redactedBody = bodyText; // Keep as-is if parse fails
-          }
-        }
-        
-        span.setAttributes({
-          'http.request.body': redactedBody.substring(0, maxBodySize),
-          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
-          'http.request.body.size': bodyText.length,
-        });
-      } else {
-        span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
-      }
-    } else if (contentType.includes('application/x-www-form-urlencoded')) {
-      const clonedRequest = request.clone();
-      const formData = await clonedRequest.formData();
-      const parsed = Object.fromEntries(formData);
-      const redacted = redactSensitiveData(parsed, allSensitiveFields);
-      
-      span.setAttributes({
-        'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-        'http.request.body.type': 'form',
-        'http.request.body.size': JSON.stringify(parsed).length,
-      });
-    } else if (contentType.includes('multipart/form-data')) {
-      span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
-      span.setAttribute('http.request.body.type', 'multipart');
-    }
-    
-    // End span if we created it
-    if (createdSpan) {
-      span.setStatus({ code: SpanStatusCode.OK });
-      span.end();
-    }
-  } catch (error) {
-    // Silently fail - don't break the request
-    console.debug('[securenow] Body capture failed:', error.message);
-    
-    // End span with error if we created it
-    if (createdSpan && span) {
-      span.setStatus({ 
-        code: SpanStatusCode.ERROR,
-        message: error.message 
-      });
-      span.end();
-    }
-  }
-  
-  return NextResponse.next();
-}
-
-module.exports = {
-  middleware,
-  redactSensitiveData,
-  redactGraphQLQuery,
-  DEFAULT_SENSITIVE_FIELDS,
-};
-
-
-
-
+/**
+ * SecureNow Next.js Middleware for Body Capture
+ * 
+ * OPTIONAL: Import this in your Next.js app to enable automatic body capture
+ * 
+ * Usage:
+ * 
+ * Create middleware.ts in your Next.js app root:
+ * 
+ * export { middleware } from 'securenow/nextjs-middleware';
+ * export const config = {
+ *   matcher: '/api/:path*',  // Apply to API routes only
+ * };
+ * 
+ * That's it! Bodies are now captured with sensitive data redacted.
+ */
+
+const { trace, context, SpanStatusCode } = require('@opentelemetry/api');
+
+// Default sensitive fields to redact
+const DEFAULT_SENSITIVE_FIELDS = [
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
+  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
+];
+
+/**
+ * Redact sensitive fields from an object
+ */
+function escapeRegex(str) {
+  return str.replace(/[.*+?^${}()|[\]\\]/g, '\\$&');
+}
+
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+  
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+  
+  for (const key of Object.keys(redacted)) {
+    const lowerKey = key.toLowerCase();
+    
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    }
+  }
+  
+  return redacted;
+}
+
+/**
+ * Redact sensitive data from GraphQL query strings
+ */
+function redactGraphQLQuery(query, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!query || typeof query !== 'string') return query;
+  
+  let redacted = query;
+  
+  sensitiveFields.forEach(field => {
+    const escaped = escapeRegex(field);
+    const patterns = [
+      new RegExp(`(${escaped}\\s*:\\s*["'])([^"']+)(["'])`, 'gi'),
+      new RegExp(`(${escaped}\\s*:\\s*)([^\\s,})\n]+)`, 'gi'),
+    ];
+    
+    patterns.forEach(pattern => {
+      redacted = redacted.replace(pattern, (match, prefix, value, suffix) => {
+        return suffix ? `${prefix}[REDACTED]${suffix}` : `${prefix}[REDACTED]`;
+      });
+    });
+  });
+  
+  return redacted;
+}
+
+/**
+ * Next.js Middleware for Body Capture
+ */
+async function middleware(request) {
+  const { NextResponse } = require('next/server');
+  
+  // Only capture for POST/PUT/PATCH
+  if (!['POST', 'PUT', 'PATCH'].includes(request.method)) {
+    return NextResponse.next();
+  }
+  
+  // Get or create a tracer
+  const tracer = trace.getTracer('securenow-middleware');
+  let span = trace.getActiveSpan();
+  let createdSpan = false;
+  
+  // If no active span, create one for this middleware
+  if (!span) {
+    const url = new URL(request.url);
+    span = tracer.startSpan(`middleware ${request.method} ${url.pathname}`);
+    createdSpan = true;
+  }
+  
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    const maxBodySize = Math.max(1024, parseInt(process.env.SECURENOW_MAX_BODY_SIZE, 10) || 10240);
+    const customSensitiveFields = (process.env.SECURENOW_SENSITIVE_FIELDS || '').split(',').map(s => s.trim()).filter(Boolean);
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    
+    // Only capture supported types
+    if (contentType.includes('application/json') || 
+        contentType.includes('application/graphql')) {
+      
+      // Clone the request to read body without consuming the original
+      const clonedRequest = request.clone();
+      const bodyText = await clonedRequest.text();
+      
+      if (bodyText.length <= maxBodySize) {
+        let redactedBody;
+        
+        if (contentType.includes('application/graphql')) {
+          // GraphQL: redact query string
+          redactedBody = redactGraphQLQuery(bodyText, allSensitiveFields);
+        } else {
+          // JSON: parse and redact
+          try {
+            const parsed = JSON.parse(bodyText);
+            const redacted = redactSensitiveData(parsed, allSensitiveFields);
+            redactedBody = JSON.stringify(redacted);
+          } catch (e) {
+            redactedBody = '[UNPARSEABLE - REDACTED FOR SAFETY]';
+          }
+        }
+        
+        span.setAttributes({
+          'http.request.body': redactedBody.substring(0, maxBodySize),
+          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
+          'http.request.body.size': bodyText.length,
+        });
+      } else {
+        span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
+      }
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      const clonedRequest = request.clone();
+      const formData = await clonedRequest.formData();
+      const parsed = Object.fromEntries(formData);
+      const redacted = redactSensitiveData(parsed, allSensitiveFields);
+      
+      span.setAttributes({
+        'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+        'http.request.body.type': 'form',
+        'http.request.body.size': JSON.stringify(parsed).length,
+      });
+    } else if (contentType.includes('multipart/form-data')) {
+      span.setAttribute('http.request.body', '[MULTIPART - NOT CAPTURED]');
+      span.setAttribute('http.request.body.type', 'multipart');
+    }
+    
+    // End span if we created it
+    if (createdSpan) {
+      span.setStatus({ code: SpanStatusCode.OK });
+      span.end();
+    }
+  } catch (error) {
+    // Silently fail - don't break the request
+    console.debug('[securenow] Body capture failed:', error.message);
+    
+    // End span with error if we created it
+    if (createdSpan && span) {
+      span.setStatus({ 
+        code: SpanStatusCode.ERROR,
+        message: error.message 
+      });
+      span.end();
+    }
+  }
+  
+  return NextResponse.next();
+}
+
+module.exports = {
+  middleware,
+  redactSensitiveData,
+  redactGraphQLQuery,
+  DEFAULT_SENSITIVE_FIELDS,
+};
+
+
+
+

package/nextjs-webpack-config.js

@@ -1,33 +1,100 @@
+'use strict';
+
+/**
+ * Next.js configuration helpers for SecureNow
+ *
+ * Usage (recommended — zero-list approach):
+ *
+ *   const { withSecureNow } = require('securenow/nextjs-webpack-config');
+ *   module.exports = withSecureNow({
+ *     // your existing next.config options
+ *   });
+ *
+ * Legacy webpack-only helper (still exported for backwards compat):
+ *
+ *   const { getSecureNowWebpackConfig } = require('securenow/nextjs-webpack-config');
+ *   module.exports = { webpack: (config, opts) => getSecureNowWebpackConfig(config, opts) };
+ */
+
+const EXTERNAL_PACKAGES = [
+  'securenow',
+  '@opentelemetry/sdk-node',
+  '@opentelemetry/auto-instrumentations-node',
+  '@opentelemetry/instrumentation-http',
+  '@opentelemetry/exporter-trace-otlp-http',
+  '@opentelemetry/exporter-logs-otlp-http',
+  '@opentelemetry/sdk-logs',
+  '@opentelemetry/instrumentation',
+  '@opentelemetry/resources',
+  '@opentelemetry/semantic-conventions',
+  '@opentelemetry/api',
+  '@opentelemetry/api-logs',
+  '@vercel/otel',
+];
+
+function detectNextMajor() {
+  try {
+    const pkg = require('next/package.json');
+    return parseInt(pkg.version, 10) || 14;
+  } catch {
+    return 14;
+  }
+}
+
 /**
- * Next.js webpack configuration for SecureNow
- * 
- * Add this to your next.config.js to suppress OpenTelemetry instrumentation warnings
- * 
- * Usage:
- * const { getSecureNowWebpackConfig } = require('securenow/nextjs-webpack-config');
- * 
- * module.exports = {
- *   webpack: (config, options) => {
- *     return getSecureNowWebpackConfig(config, options);
- *   }
- * };
+ * Wrap a Next.js config object to auto-externalize SecureNow + OTel
+ * packages and enable the instrumentation hook.
+ *
+ *   module.exports = withSecureNow({ reactStrictMode: true });
  */
+function withSecureNow(userConfig) {
+  if (typeof userConfig === 'function') {
+    return (...args) => withSecureNow(userConfig(...args));
+  }
+
+  const cfg = { ...userConfig };
+  const major = detectNextMajor();
+
+  if (major >= 15) {
+    cfg.serverExternalPackages = dedup([
+      ...(cfg.serverExternalPackages || []),
+      ...EXTERNAL_PACKAGES,
+    ]);
+  } else {
+    cfg.experimental = { ...(cfg.experimental || {}) };
+    cfg.experimental.instrumentationHook = true;
+    cfg.experimental.serverComponentsExternalPackages = dedup([
+      ...(cfg.experimental.serverComponentsExternalPackages || []),
+      ...EXTERNAL_PACKAGES,
+    ]);
+  }
+
+  const origWebpack = cfg.webpack;
+  cfg.webpack = (config, options) => {
+    const c = origWebpack ? origWebpack(config, options) : config;
+    return getSecureNowWebpackConfig(c, options);
+  };
+
+  return cfg;
+}
 
+function dedup(arr) {
+  return [...new Set(arr)];
+}
+
+/**
+ * Legacy: suppress OTel webpack warnings and add externals.
+ */
 function getSecureNowWebpackConfig(config, options) {
   const { isServer } = options;
-  
-  // Only apply to server-side builds
+
   if (isServer) {
-    // Suppress warnings for OpenTelemetry instrumentations
     config.ignoreWarnings = config.ignoreWarnings || [];
-    
     config.ignoreWarnings.push(
-      // Ignore "Critical dependency" warnings from instrumentations
       {
         module: /@opentelemetry\/instrumentation/,
         message: /Critical dependency: the request of a dependency is an expression/,
       },
-      // Ignore missing optional peer dependencies
       {
         module: /@opentelemetry/,
         message: /Module not found.*@opentelemetry\/winston-transport/,
@@ -35,43 +102,11 @@ function getSecureNowWebpackConfig(config, options) {
       {
         module: /@opentelemetry/,
         message: /Module not found.*@opentelemetry\/exporter-jaeger/,
-      }
+      },
     );
-    
-    // Externalize problematic packages (don't bundle them)
-    config.externals = config.externals || [];
-    
-    // Add OpenTelemetry packages as externals
-    if (typeof config.externals === 'function') {
-      const originalExternals = config.externals;
-      config.externals = async (...args) => {
-        const result = await originalExternals(...args);
-        if (result) return result;
-        
-        const [context, request] = args;
-        
-        // Externalize OpenTelemetry instrumentation packages
-        if (request.startsWith('@opentelemetry/')) {
-          return `commonjs ${request}`;
-        }
-        
-        return undefined;
-      };
-    } else if (Array.isArray(config.externals)) {
-      config.externals.push(/@opentelemetry\//);
-    } else {
-      config.externals = [/@opentelemetry\//];
-    }
   }
-  
+
   return config;
 }
 
-module.exports = { getSecureNowWebpackConfig };
-
-
-
-
-
-
-
+module.exports = { withSecureNow, getSecureNowWebpackConfig, EXTERNAL_PACKAGES };