securenow 7.6.9 → 7.7.1

package/nextjs.js

@@ -27,6 +27,7 @@
 
 const { randomUUID } = require('crypto');
 const appConfig = require('./app-config');
+const { resolveClientIpWithDetails } = require('./resolve-ip');
 const otelResources = require('@opentelemetry/resources');
 
 const env = appConfig.env;
@@ -203,26 +204,11 @@ function registerSecureNow(options = {}) {
           const headers = request.headers || {};
           
           // ======== IP ADDRESS CAPTURE ========
-          // Try different header sources for IP (priority order)
-          const forwardedFor = headers['x-forwarded-for'];
-          const realIp = headers['x-real-ip'];
-          const cfConnectingIp = headers['cf-connecting-ip']; // Cloudflare
-          const clientIp = headers['x-client-ip'];
-          const socketIp = request.socket?.remoteAddress;
-          
-          const PRIVATE_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
-          const isProxied = socketIp && PRIVATE_RE.test(socketIp);
-          let primaryIp = socketIp || 'unknown';
-          if (isProxied) {
-            if (forwardedFor) {
-              const chain = forwardedFor.split(',').map(s => s.trim()).filter(Boolean);
-              for (let i = chain.length - 1; i >= 0; i--) {
-                if (!PRIVATE_RE.test(chain[i])) { primaryIp = chain[i]; break; }
-              }
-            } else {
-              primaryIp = realIp || cfConnectingIp || clientIp || primaryIp;
-            }
-          }
+          const ipDetails = resolveClientIpWithDetails(request);
+          const forwardedFor = ipDetails.forwardedFor;
+          const realIp = ipDetails.realIp;
+          const socketIp = ipDetails.socketIp;
+          const primaryIp = ipDetails.ip || 'unknown';
           
           // ======== PROTOCOL & CONNECTION ========
           const scheme = headers['x-forwarded-proto'] || 
@@ -249,9 +235,16 @@ function registerSecureNow(options = {}) {
           const attributes = {
             // IP & Network
             'http.client_ip': primaryIp,
+            'http.client_ip.source': ipDetails.source,
             'http.forwarded_for': forwardedFor || '',
             'http.real_ip': realIp || '',
             'http.socket_ip': socketIp || '',
+            'http.proxy.trusted': String(!!ipDetails.trustedProxy),
+            'http.request.header.x_forwarded_for': forwardedFor || '',
+            'http.request.header.x_real_ip': realIp || '',
+            'http.request.header.cf_connecting_ip': ipDetails.cfConnectingIp || '',
+            'http.request.header.true_client_ip': ipDetails.trueClientIp || '',
+            'http.request.header.x_client_ip': ipDetails.clientIp || '',
             
             // Protocol & Host
             'http.scheme': scheme,
@@ -327,7 +320,7 @@ function registerSecureNow(options = {}) {
           if (env('NODE_ENV') === 'development' || env('OTEL_LOG_LEVEL') === 'debug') {
             console.log('[securenow] 📡 Captured IP: %s (from: %s)', 
               primaryIp, 
-              forwardedFor ? 'x-forwarded-for' : realIp ? 'x-real-ip' : socketIp ? 'socket' : 'unknown'
+              ipDetails.source || 'unknown'
             );
           }
 
@@ -520,7 +513,8 @@ function registerSecureNow(options = {}) {
                   const reqSpanCtx = otelTrace.getSpanContext(reqCtx);
                   const duration = Date.now() - start;
                   const status = res.statusCode;
-                  const ip = req.headers['x-forwarded-for'] || req.headers['x-real-ip'] || req.socket?.remoteAddress || '-';
+                  const ipDetails = resolveClientIpWithDetails(req);
+                  const ip = ipDetails.ip || '-';
                   const ua = req.headers['user-agent'] || '-';
                   const body = `${method} ${url} ${status} ${duration}ms ip=${ip} ua=${ua}`;
                   const severity = status >= 500 ? SeverityNumber.ERROR : status >= 400 ? SeverityNumber.WARN : SeverityNumber.INFO;
@@ -536,7 +530,12 @@ function registerSecureNow(options = {}) {
                         'http.url': url,
                         'http.status_code': status,
                         'http.duration_ms': duration,
-                        'http.client_ip': String(ip).split(',')[0].trim(),
+                        'http.client_ip': ip,
+                        'http.client_ip.source': ipDetails.source || 'unknown',
+                        'http.socket_ip': ipDetails.socketIp || '',
+                        'http.forwarded_for': ipDetails.forwardedFor || '',
+                        'http.real_ip': ipDetails.realIp || '',
+                        'http.proxy.trusted': String(!!ipDetails.trustedProxy),
                         'http.user_agent': ua,
                       },
                       ...(reqSpanCtx && { context: reqCtx }),

package/nuxt-server-plugin.mjs

@@ -22,6 +22,7 @@ import { randomUUID } from 'node:crypto';
 
 const nodeRequire = createRequire(import.meta.url);
 const appConfig = nodeRequire('./app-config');
+const { resolveClientIpWithDetails } = nodeRequire('./resolve-ip');
 
 // ── Helpers ──
 
@@ -137,17 +138,21 @@ export default defineNitroPlugin(async (nitroApp) => {
     requestHook: (span, request) => {
       try {
         const hdrs = request.headers || {};
-        const fwd = hdrs['x-forwarded-for'];
-        const clientIp =
-          (fwd ? String(fwd).split(',')[0].trim() : null) ||
-          hdrs['x-real-ip'] ||
-          hdrs['cf-connecting-ip'] ||
-          hdrs['x-client-ip'] ||
-          request.socket?.remoteAddress ||
-          'unknown';
+        const ipDetails = resolveClientIpWithDetails(request);
+        const clientIp = ipDetails.ip || 'unknown';
 
         span.setAttributes({
           'http.client_ip': clientIp,
+          'http.client_ip.source': ipDetails.source,
+          'http.socket_ip': ipDetails.socketIp || '',
+          'http.forwarded_for': ipDetails.forwardedFor || '',
+          'http.real_ip': ipDetails.realIp || '',
+          'http.proxy.trusted': String(!!ipDetails.trustedProxy),
+          'http.request.header.x_forwarded_for': ipDetails.forwardedFor || '',
+          'http.request.header.x_real_ip': ipDetails.realIp || '',
+          'http.request.header.cf_connecting_ip': ipDetails.cfConnectingIp || '',
+          'http.request.header.true_client_ip': ipDetails.trueClientIp || '',
+          'http.request.header.x_client_ip': ipDetails.clientIp || '',
           'http.user_agent': hdrs['user-agent'] || '',
           'http.host': hdrs['x-forwarded-host'] || hdrs['host'] || '',
           'http.scheme':

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "7.6.9",
+  "version": "7.7.1",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",

package/resolve-ip.js

@@ -2,75 +2,150 @@
 
 const os = require('os');
 const appConfig = require('./app-config');
-
-const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
-const PRIVATE_IP_RE = /^(127\.|::1$|::ffff:127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|f[cd][0-9a-f]{2}:)/;
-
+
+const LOOPBACK_RE = /^(127\.|::1$|::ffff:127\.)/;
+const PRIVATE_IP_RE = /^(127\.|::1$|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.|169\.254\.|100\.(6[4-9]|[7-9]\d|1[01]\d|12[0-7])\.|f[cd][0-9a-f]{2}:)/i;
+
 const trustedProxies = appConfig.listEnv('SECURENOW_TRUSTED_PROXIES');
-const trustedProxySet = trustedProxies.length ? new Set(trustedProxies) : null;
-
-let _hostIp = null;
-function getHostIp() {
-  if (_hostIp !== null) return _hostIp;
-  try {
-    const ifaces = os.networkInterfaces();
-    for (const name of Object.keys(ifaces)) {
-      for (const iface of ifaces[name]) {
-        if (!iface.internal && iface.family === 'IPv4') { _hostIp = iface.address; return _hostIp; }
-      }
-    }
-  } catch (_) {}
-  _hostIp = '';
-  return _hostIp;
-}
-
-function isFromTrustedProxy(socketIp) {
-  if (!socketIp) return false;
-  const normalized = socketIp.replace(/^::ffff:/, '');
-  if (trustedProxySet && trustedProxySet.has(normalized)) return true;
-  return PRIVATE_IP_RE.test(socketIp);
-}
+const trustedProxySet = trustedProxies.length ? new Set(trustedProxies.map(normalizeIp).filter(Boolean)) : null;
+
+let _hostIps = null;
+function normalizeIp(value) {
+  if (Array.isArray(value)) value = value[0];
+  if (!value) return '';
+  let ip = String(value).trim();
+  if (!ip) return '';
+  ip = ip.replace(/^::ffff:/i, '');
+  if (ip.startsWith('[')) {
+    const end = ip.indexOf(']');
+    if (end !== -1) ip = ip.slice(1, end);
+  } else if (/^\d{1,3}(?:\.\d{1,3}){3}:\d+$/.test(ip)) {
+    ip = ip.replace(/:\d+$/, '');
+  }
+  return ip;
+}
+
+function getHostIps() {
+  if (_hostIps !== null) return _hostIps;
+  const ips = new Set();
+  try {
+    const ifaces = os.networkInterfaces();
+    for (const name of Object.keys(ifaces)) {
+      for (const iface of ifaces[name]) {
+        if (!iface.internal && iface.address) {
+          const normalized = normalizeIp(iface.address);
+          if (normalized) ips.add(normalized);
+        }
+      }
+    }
+  } catch (_) {}
+  _hostIps = ips;
+  return _hostIps;
+}
+
+function isFromTrustedProxy(socketIp) {
+  if (!socketIp) return false;
+  const normalized = normalizeIp(socketIp);
+  if (!normalized) return false;
+  if (trustedProxySet && trustedProxySet.has(normalized)) return true;
+  if (getHostIps().has(normalized)) return true;
+  return PRIVATE_IP_RE.test(normalized);
+}
+
+function firstHeaderValue(value) {
+  if (Array.isArray(value)) return value.find(Boolean) || '';
+  return value || '';
+}
+
+function splitForwardedChain(value) {
+  return String(firstHeaderValue(value) || '')
+    .split(',')
+    .map((s) => normalizeIp(s))
+    .filter(Boolean);
+}
+
+function getHeader(headers, name) {
+  if (!headers) return '';
+  return firstHeaderValue(headers[name] || headers[name.toLowerCase()] || headers[name.toUpperCase()]);
+}
+
+function resolveClientIpWithDetails(request) {
+  const socketIp = normalizeIp(request.socket?.remoteAddress || '');
+  const headers = request.headers || {};
+  const trustedProxy = isFromTrustedProxy(socketIp);
+
+  const details = {
+    ip: socketIp,
+    source: socketIp ? 'socket' : 'unknown',
+    socketIp,
+    trustedProxy,
+    forwardedFor: String(getHeader(headers, 'x-forwarded-for') || ''),
+    realIp: String(getHeader(headers, 'x-real-ip') || ''),
+    cfConnectingIp: String(getHeader(headers, 'cf-connecting-ip') || ''),
+    trueClientIp: String(getHeader(headers, 'true-client-ip') || ''),
+    clientIp: String(getHeader(headers, 'x-client-ip') || ''),
+  };
+
+  if (!trustedProxy) return details;
+
+  const chain = splitForwardedChain(details.forwardedFor);
+  if (chain.length) {
+    for (let i = chain.length - 1; i >= 0; i--) {
+      if (!isFromTrustedProxy(chain[i])) {
+        return { ...details, ip: chain[i], source: 'x-forwarded-for' };
+      }
+    }
+    return details;
+  }
+
+  const headerCandidates = [
+    ['cf-connecting-ip', details.cfConnectingIp],
+    ['true-client-ip', details.trueClientIp],
+    ['x-real-ip', details.realIp],
+    ['x-client-ip', details.clientIp],
+  ];
+  for (const [source, raw] of headerCandidates) {
+    const ip = normalizeIp(raw);
+    if (ip) return { ...details, ip, source };
+  }
+
+  if (LOOPBACK_RE.test(socketIp)) {
+    const hostIp = [...getHostIps()][0] || '';
+    if (hostIp) return { ...details, ip: hostIp, source: 'host-network' };
+  }
+
+  if (trustedProxy && getHostIps().has(socketIp)) {
+    return { ...details, source: 'trusted-proxy-socket' };
+  }
+
+  return details;
+}
 
 /**
  * Resolve the real client IP from an HTTP request, respecting trusted proxies.
  * Reads X-Forwarded-For / X-Real-IP only when the direct connection comes
  * from a private/trusted proxy IP. Prevents client-side IP spoofing.
  */
-function resolveClientIp(request) {
-  const socketIp = request.socket?.remoteAddress || '';
-  if (!isFromTrustedProxy(socketIp)) return socketIp;
-
-  const fwd = request.headers['x-forwarded-for'];
-  if (fwd) {
-    const chain = String(fwd).split(',').map(s => s.trim()).filter(Boolean);
-    for (let i = chain.length - 1; i >= 0; i--) {
-      if (!isFromTrustedProxy(chain[i])) return chain[i];
-    }
-    return socketIp;
-  }
-  const headerIp = request.headers['x-real-ip'];
-  if (headerIp) return headerIp;
-
-  if (LOOPBACK_RE.test(socketIp)) {
-    const hostIp = getHostIp();
-    if (hostIp) return hostIp;
-  }
-  return socketIp;
-}
+function resolveClientIp(request) {
+  return resolveClientIpWithDetails(request).ip || '';
+}
 
 /**
  * Resolve IP from a raw TCP socket (no HTTP headers available).
  * Normalizes IPv6-mapped IPv4 addresses.
  */
-function resolveSocketIp(socket) {
-  const raw = socket?.remoteAddress || '';
-  return raw.replace(/^::ffff:/, '');
-}
-
-module.exports = {
-  resolveClientIp,
-  resolveSocketIp,
-  isFromTrustedProxy,
-  LOOPBACK_RE,
-  PRIVATE_IP_RE,
-};
+function resolveSocketIp(socket) {
+  const raw = socket?.remoteAddress || '';
+  return normalizeIp(raw);
+}
+
+module.exports = {
+  resolveClientIp,
+  resolveClientIpWithDetails,
+  resolveSocketIp,
+  isFromTrustedProxy,
+  normalizeIp,
+  getHostIps,
+  LOOPBACK_RE,
+  PRIVATE_IP_RE,
+};

package/tracing.js

@@ -343,16 +343,37 @@ const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveField
 const captureMultipart = !/^(0|false)$/i.test(String(env('SECURENOW_CAPTURE_MULTIPART') ?? ''));
 
 // -------- Trusted proxy IP resolution --------
-const { resolveClientIp, isFromTrustedProxy, LOOPBACK_RE } = require('./resolve-ip');
+const { resolveClientIpWithDetails } = require('./resolve-ip');
 
 // Configure HTTP instrumentation with body capture
 const { HttpInstrumentation } = require('@opentelemetry/instrumentation-http');
 const httpInstrumentation = new HttpInstrumentation({
   requestHook: (span, request) => {
     try {
-      const clientIp = resolveClientIp(request);
-      if (clientIp) {
-        span.setAttribute('http.client_ip', clientIp);
+      const ipDetails = resolveClientIpWithDetails(request);
+      if (ipDetails.ip) {
+        span.setAttribute('http.client_ip', ipDetails.ip);
+        span.setAttribute('http.client_ip.source', ipDetails.source);
+        span.setAttribute('http.socket_ip', ipDetails.socketIp || '');
+        span.setAttribute('http.proxy.trusted', String(!!ipDetails.trustedProxy));
+        if (ipDetails.forwardedFor) {
+          span.setAttribute('http.forwarded_for', ipDetails.forwardedFor);
+          span.setAttribute('http.request.header.x_forwarded_for', ipDetails.forwardedFor);
+        }
+        if (ipDetails.realIp) {
+          span.setAttribute('http.real_ip', ipDetails.realIp);
+          span.setAttribute('http.request.header.x_real_ip', ipDetails.realIp);
+        }
+        if (ipDetails.cfConnectingIp) {
+          span.setAttribute('http.cf.connecting_ip', ipDetails.cfConnectingIp);
+          span.setAttribute('http.request.header.cf_connecting_ip', ipDetails.cfConnectingIp);
+        }
+        if (ipDetails.trueClientIp) {
+          span.setAttribute('http.request.header.true_client_ip', ipDetails.trueClientIp);
+        }
+        if (ipDetails.clientIp) {
+          span.setAttribute('http.request.header.x_client_ip', ipDetails.clientIp);
+        }
       }
 
       if (request.headers) {