securenow 8.2.0 → 8.4.0

package/NPM_README.md

@@ -259,6 +259,27 @@ npx securenow notifications read-all
 
 ### Alerting
 
+### Revoke / kill sessions (new in 8.3)
+
+```js
+const securenow = require('securenow/sessions');
+// One line: emits session.seen (feeds impossible-travel / concurrent-session
+// detection) AND rejects revoked sessions. Auto-detects NextAuth/connect.sid/JWT.
+app.use(securenow.guard());
+// ...or check manually:
+if (securenow.isRevoked({ sessionId, userId })) return res.status(401).send('re-auth');
+// ...or emit-only (detection without enforcement):
+app.use(securenow.capture());
+```
+
+Revoke from the CLI (the SDK enforces within ~seconds, outbound-only, fail-open):
+
+```bash
+npx securenow revoke session <session-id> --reason "impossible travel"
+npx securenow revoke user <user-id> --duration 7d        # kill all of a user's sessions
+npx securenow revoke list
+```
+
 ### Emit custom security events (new in 8.2)
 
 ```js

package/cli/security.js

@@ -583,6 +583,88 @@ async function blocklistList(args, flags) {
   }
 }
 
+async function revokeRoute(args, flags) {
+  const sub = args[0];
+  if (sub === 'list') return revokeList(args.slice(1), flags);
+  if (sub === 'restore') return revokeRestore(args.slice(1), flags);
+  if (sub === 'session' || sub === 'user') return revokeAdd(sub, args.slice(1), flags);
+  ui.error('Usage: securenow revoke <session <id> | user <id> | list | restore <id>> [--reason "..."] [--duration 24h] [--app <key>] [--env <env>]');
+  process.exit(1);
+}
+
+async function revokeAdd(type, args, flags) {
+  requireAuth();
+  const value = args[0];
+  if (!value) {
+    ui.error(`Usage: securenow revoke ${type} <${type === 'session' ? 'session-id' : 'user-id'}> [--reason "..."] [--duration 24h] [--app <key>] [--env <env>]`);
+    process.exit(1);
+  }
+  const body = { type, value, source: 'cli' };
+  if (flags.reason) body.reason = flags.reason;
+  if (flags.duration) body.duration = flags.duration;
+  if (flags.app || flags.apps) body.applicationKey = flags.app || flags.apps;
+  if (flags.env || flags.environment) body.environment = flags.env || flags.environment;
+
+  const s = ui.spinner(`Revoking ${type} ${value}`);
+  try {
+    const data = await api.post('/revocations', body);
+    s.stop(`Revoked ${type} ${ui.truncate(value, 24)}`);
+    if (flags.json) { ui.json(data); return; }
+    const r = data.revocation || data;
+    ui.keyValue([
+      ['ID', r._id || r.id || '-'],
+      ['Type', r.type || type],
+      ['Value', r.value || value],
+      ['Scope', r.applicationKey || 'all apps'],
+      ['Expires', r.expiresAt ? new Date(r.expiresAt).toISOString() : 'never'],
+    ]);
+  } catch (err) {
+    s.fail('Failed to revoke');
+    throw err;
+  }
+}
+
+async function revokeList(args, flags) {
+  requireAuth();
+  const s = ui.spinner('Fetching revocations');
+  try {
+    const query = {};
+    if (flags.type) query.type = flags.type;
+    if (flags.status) query.status = flags.status;
+    const data = await api.get('/revocations', { query });
+    const entries = data.revocations || [];
+    s.stop(`Found ${entries.length} revocation${entries.length !== 1 ? 's' : ''}`);
+    if (flags.json) { ui.json(entries); return; }
+    console.log('');
+    ui.table(['ID', 'Type', 'Value', 'Scope', 'Expires'], entries.map((r) => [
+      ui.c.dim(ui.truncate(r._id || r.id, 12)),
+      r.type,
+      ui.truncate(r.value, 28),
+      r.applicationKey || ui.c.dim('all'),
+      r.expiresAt ? new Date(r.expiresAt).toISOString().slice(0, 16) : ui.c.dim('never'),
+    ]));
+    console.log('');
+  } catch (err) {
+    s.fail('Failed to list revocations');
+    throw err;
+  }
+}
+
+async function revokeRestore(args, flags) {
+  requireAuth();
+  const id = args[0];
+  if (!id) { ui.error('Usage: securenow revoke restore <id> [--reason "..."]'); process.exit(1); }
+  const s = ui.spinner('Restoring');
+  try {
+    const data = await api.post(`/revocations/${id}/restore`, { reason: flags.reason || '' });
+    s.stop('Revocation lifted');
+    if (flags.json) ui.json(data);
+  } catch (err) {
+    s.fail('Failed to restore');
+    throw err;
+  }
+}
+
 async function blocklistAdd(args, flags) {
   requireAuth();
   let ip = args[0];
@@ -1337,6 +1419,7 @@ module.exports = {
   blocklistAdd,
   blocklistRemove,
   blocklistStats,
+  revokeRoute,
   allowlistList,
   allowlistAdd,
   allowlistRemove,

package/cli.js

@@ -437,6 +437,18 @@ const COMMANDS = {
     },
     defaultSub: 'list',
   },
+  revoke: {
+    desc: 'Revoke sessions/users (kill stolen sessions; the SDK enforces via securenow/sessions)',
+    usage: 'securenow revoke <session <id> | user <id> | list | restore <id>> [options]',
+    flags: { reason: 'Audit reason', duration: 'Expiry, e.g. 24h or 7d (default 7d)', app: 'Scope to app key', env: 'Scope to environment', environment: 'Alias for --env', type: 'List filter: session or user', status: 'List filter: active or restored', json: 'Output as JSON' },
+    sub: {
+      session: { desc: 'Revoke a session id', usage: 'securenow revoke session <session-id> [--reason <r>] [--duration 24h] [--app <key>]', run: (a, f) => require('./cli/security').revokeRoute(['session', ...a], f) },
+      user: { desc: 'Revoke all sessions of a user id', usage: 'securenow revoke user <user-id> [--reason <r>] [--duration 24h] [--app <key>]', run: (a, f) => require('./cli/security').revokeRoute(['user', ...a], f) },
+      list: { desc: 'List active revocations', run: (a, f) => require('./cli/security').revokeRoute(['list', ...a], f) },
+      restore: { desc: 'Lift a revocation', usage: 'securenow revoke restore <id> [--reason <r>]', run: (a, f) => require('./cli/security').revokeRoute(['restore', ...a], f) },
+    },
+    defaultSub: 'list',
+  },
   allowlist: {
     desc: 'Manage IP allowlist (only allow listed IPs)',
     usage: 'securenow allowlist <subcommand> [options]',
@@ -710,7 +722,7 @@ function showHelp(commandName) {
     'Detect & Respond': ['human', 'notifications', 'alerts', 'fp'],
     'Investigate': ['ip', 'forensics'],
     'Firewall': ['firewall'],
-    'Remediation': ['automation', 'ratelimit', 'blocklist', 'allowlist', 'trusted'],
+    'Remediation': ['automation', 'ratelimit', 'blocklist', 'revoke', 'allowlist', 'trusted'],
     'Telemetry': ['log', 'event', 'test-span'],
     'Utilities': ['redact', 'cidr', 'doctor', 'env', 'mcp'],
     'Settings': ['instances', 'config', 'version'],

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "securenow",
-  "version": "8.2.0",
+  "version": "8.4.0",
   "description": "OpenTelemetry instrumentation for Node.js, Next.js, and Nuxt - Send traces and logs to any OTLP-compatible backend",
   "type": "commonjs",
   "main": "register.js",
@@ -54,6 +54,10 @@
       "types": "./events.d.ts",
       "default": "./events.js"
     },
+    "./sessions": {
+      "types": "./sessions.d.ts",
+      "default": "./sessions.js"
+    },
     "./console-instrumentation": {
       "default": "./console-instrumentation.js"
     },
@@ -118,6 +122,8 @@
     "tracing.d.ts",
     "events.js",
     "events.d.ts",
+    "sessions.js",
+    "sessions.d.ts",
     "console-instrumentation.js",
     "nextjs.js",
     "nextjs.d.ts",

package/sessions.d.ts

@@ -0,0 +1,37 @@
+import type { IncomingMessage, ServerResponse } from "http";
+
+export interface GuardOptions {
+  /** Extract the session id from a request. Defaults to NextAuth/connect.sid cookie or hashed Bearer token. */
+  getSessionId?: (req: IncomingMessage) => string | null | undefined;
+  /** Extract the user id from a request. Defaults to the JWT `sub` claim. */
+  getUserId?: (req: IncomingMessage) => string | null | undefined;
+  /** Custom rejection handler. Default: 401 + clears known session cookies. */
+  onRevoked?: (req: any, res: any, next: any, ctx: { sessionId: string | null; userId: string | null }) => void;
+  /** Background sync interval in ms (default 30000). */
+  syncIntervalMs?: number;
+  /** Emit session.seen events for detection (default true). Set false to enforce only. */
+  capture?: boolean;
+  /** Dedup window for session.seen emission, per (session, ip), in ms (default 300000). */
+  captureWindowMs?: number;
+}
+
+/** Start background revocation sync (called automatically by guard()). */
+export function start(options?: GuardOptions): void;
+
+/** Force one sync now. Best-effort; never throws. */
+export function syncOnce(): Promise<boolean>;
+
+/** Is this session/user currently revoked? */
+export function isRevoked(input: { sessionId?: string | null; userId?: string | null }): boolean;
+
+/** Express-style middleware: emits session.seen (detection) AND rejects revoked sessions. Fail-open. */
+export function guard(options?: GuardOptions): (req: any, res: any, next: any) => void;
+
+/** Express-style middleware that ONLY emits session.seen (detection feed, no enforcement). */
+export function capture(options?: GuardOptions): (req: any, res: any, next: any) => void;
+
+/** Resolve the client IP from a request (X-Forwarded-For / CF / socket). */
+export function resolveClientIp(req: any): string | null;
+
+/** SHA-256 helper (used to hash raw session tokens consistently). */
+export function sha256(value: string): string;

package/sessions.js

@@ -0,0 +1,301 @@
+'use strict';
+
+// SecureNow session/user revocation enforcement (the "kill the stolen session"
+// half of account-takeover response).
+//
+//   const securenow = require('securenow/sessions');
+//   app.use(securenow.guard());           // auto-detects NextAuth/connect.sid/JWT sessions
+//   // ...or check manually in your auth middleware:
+//   if (securenow.isRevoked({ sessionId, userId })) return res.status(401)...
+//
+// The SDK pulls active revocations from SecureNow (outbound, ETag-cached) and
+// checks each request locally — no inbound webhook, works behind NAT, portable
+// to any language. Fail-open: a SecureNow/network outage never blocks traffic.
+
+const crypto = require('crypto');
+const appConfig = require('./app-config');
+const events = require('./events');
+
+let _entries = new Map(); // "type:value" -> expiryMs (0 = never)
+let _etag = null;
+let _started = false;
+let _timer = null;
+let _syncIntervalMs = 30000;
+
+function sha256(value) {
+  return crypto.createHash('sha256').update(String(value)).digest('hex');
+}
+
+function resolveSyncTarget() {
+  try {
+    const fw = appConfig.resolveFirewallOptions();
+    const apiUrl = String((fw && fw.apiUrl) || '').replace(/\/$/, '');
+    const apiKey = fw && fw.apiKey;
+    const resolvedApp = appConfig.resolveAll();
+    const appKey = resolvedApp && resolvedApp.appKey;
+    let env = 'production';
+    try { env = appConfig.resolveDeploymentEnvironment() || 'production'; } catch {}
+    if (!apiUrl || !apiKey || !appKey) return null;
+    const url = `${apiUrl}/api/v1/revocations/sync?app=${encodeURIComponent(appKey)}&env=${encodeURIComponent(env)}`;
+    return { url, apiKey, appKey };
+  } catch {
+    return null;
+  }
+}
+
+function applyEntries(list) {
+  const next = new Map();
+  for (const e of list || []) {
+    if (!e || !e.type || !e.value) continue;
+    const exp = e.expiresAt ? Date.parse(e.expiresAt) : 0;
+    next.set(`${e.type}:${e.value}`, Number.isFinite(exp) ? exp : 0);
+  }
+  _entries = next;
+}
+
+function syncOnce() {
+  return new Promise((resolve) => {
+    const t = resolveSyncTarget();
+    if (!t) return resolve(false);
+    let parsed;
+    let lib;
+    try {
+      parsed = new (require('url').URL)(t.url);
+      lib = parsed.protocol === 'https:' ? require('https') : require('http');
+    } catch {
+      return resolve(false);
+    }
+    const headers = { Authorization: `Bearer ${t.apiKey}`, 'x-securenow-app-key': t.appKey };
+    if (_etag) headers['if-none-match'] = _etag;
+    const req = lib.request(
+      {
+        method: 'GET',
+        hostname: parsed.hostname,
+        port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+        path: parsed.pathname + parsed.search,
+        headers,
+        timeout: 5000,
+      },
+      (res) => {
+        if (res.statusCode === 304) {
+          res.resume();
+          return resolve(true);
+        }
+        const etag = res.headers.etag;
+        const chunks = [];
+        res.on('data', (c) => chunks.push(c));
+        res.on('end', () => {
+          if (res.statusCode >= 200 && res.statusCode < 300) {
+            try {
+              const body = JSON.parse(Buffer.concat(chunks).toString('utf8'));
+              applyEntries(body && body.revocations && body.revocations.entries);
+              if (etag) _etag = etag;
+            } catch {}
+            return resolve(true);
+          }
+          return resolve(false);
+        });
+      }
+    );
+    req.on('error', () => resolve(false));
+    req.on('timeout', () => {
+      try { req.destroy(); } catch {}
+      resolve(false);
+    });
+    req.end();
+  });
+}
+
+function isExpired(exp) {
+  return exp && Date.now() > exp;
+}
+
+/**
+ * Is this session/user currently revoked? Pass whatever you have.
+ * @param {{sessionId?: string, userId?: string}} input
+ */
+function isRevoked(input) {
+  if (!input) return false;
+  const sid = input.sessionId != null ? String(input.sessionId) : null;
+  const uid = input.userId != null ? String(input.userId) : null;
+  if (sid) {
+    const e = _entries.get(`session:${sid}`);
+    if (e !== undefined && !isExpired(e)) return true;
+  }
+  if (uid) {
+    const e = _entries.get(`user:${uid}`);
+    if (e !== undefined && !isExpired(e)) return true;
+  }
+  return false;
+}
+
+function start(options = {}) {
+  if (options.syncIntervalMs) _syncIntervalMs = options.syncIntervalMs;
+  if (_started) return;
+  _started = true;
+  syncOnce();
+  _timer = setInterval(syncOnce, _syncIntervalMs);
+  if (_timer && typeof _timer.unref === 'function') _timer.unref();
+}
+
+// --- Tier-0 auto session detection (zero app code) -------------------------
+const SESSION_COOKIES = [
+  '__Secure-next-auth.session-token',
+  '__Host-next-auth.session-token',
+  'next-auth.session-token',
+  'connect.sid',
+  'session',
+  'sid',
+];
+
+function parseCookies(header) {
+  const out = {};
+  if (!header) return out;
+  for (const part of String(header).split(';')) {
+    const i = part.indexOf('=');
+    if (i > 0) out[part.slice(0, i).trim()] = part.slice(i + 1).trim();
+  }
+  return out;
+}
+
+// Mirrors how an auto-adapter emits session.id/enduser.id: hash the raw
+// cookie/token; read the JWT `sub` for the user id.
+function defaultExtract(req) {
+  let sessionId = null;
+  let userId = null;
+  const headers = req.headers || {};
+  const auth = headers.authorization || headers.Authorization;
+  if (auth && /^Bearer\s+/i.test(auth)) {
+    const token = auth.replace(/^Bearer\s+/i, '').trim();
+    if (token) {
+      sessionId = sha256(token);
+      try {
+        const seg = token.split('.')[1] || '';
+        const payload = JSON.parse(Buffer.from(seg, 'base64').toString('utf8'));
+        if (payload && payload.sub) userId = String(payload.sub);
+      } catch {}
+    }
+  }
+  if (!sessionId && headers.cookie) {
+    const cookies = parseCookies(headers.cookie);
+    for (const name of SESSION_COOKIES) {
+      if (cookies[name]) {
+        sessionId = sha256(cookies[name]);
+        break;
+      }
+    }
+  }
+  return { sessionId, userId };
+}
+
+// --- Tier-0 auto-emit of session.seen (feeds session-theft detection) -------
+// Emitting on EVERY request would be huge volume, so we dedup per
+// (session, ip) within a window — enough to capture every new
+// session/network combination, which is what concurrent-network /
+// impossible-travel detection needs.
+const _seen = new Map(); // "sid|ip" -> lastEmitMs
+const _SEEN_MAX = 5000;
+let _captureWindowMs = 5 * 60 * 1000;
+
+function resolveClientIp(req) {
+  const h = (req && req.headers) || {};
+  const xff = h['x-forwarded-for'];
+  if (xff) return String(Array.isArray(xff) ? xff[0] : xff).split(',')[0].trim();
+  if (h['cf-connecting-ip']) return String(h['cf-connecting-ip']).trim();
+  if (h['x-real-ip']) return String(h['x-real-ip']).trim();
+  const sock = req && (req.socket || req.connection);
+  return (sock && sock.remoteAddress) || null;
+}
+
+function emitSessionSeen(sessionId, userId, ip) {
+  if (!sessionId && !userId) return;
+  const key = `${sessionId || ''}|${ip || ''}`;
+  const now = Date.now();
+  const last = _seen.get(key);
+  if (last && now - last < _captureWindowMs) return; // deduped
+  if (_seen.size > _SEEN_MAX) _seen.clear();
+  _seen.set(key, now);
+  try {
+    events.track('session.seen', { sessionId, userId, ip });
+  } catch {
+    /* never throw into the app */
+  }
+}
+
+function extractIdentity(req, getSessionId, getUserId) {
+  let sessionId = null;
+  let userId = null;
+  if (getSessionId || getUserId) {
+    if (getSessionId) sessionId = getSessionId(req);
+    if (getUserId) userId = getUserId(req);
+  } else {
+    const d = defaultExtract(req);
+    sessionId = d.sessionId;
+    userId = d.userId;
+  }
+  return { sessionId, userId };
+}
+
+/**
+ * Middleware that ONLY emits session.seen (detection feed), no enforcement.
+ * Use this if you want SecureNow to see sessions but not block anything.
+ */
+function capture(options = {}) {
+  if (options.captureWindowMs) _captureWindowMs = options.captureWindowMs;
+  const { getSessionId, getUserId } = options;
+  return function securenowSessionCapture(req, res, next) {
+    try {
+      const { sessionId, userId } = extractIdentity(req, getSessionId, getUserId);
+      emitSessionSeen(sessionId, userId, resolveClientIp(req));
+    } catch {
+      /* fail-open */
+    }
+    return next();
+  };
+}
+
+function defaultOnRevoked(req, res) {
+  try {
+    const clears = SESSION_COOKIES.map((n) => `${n}=; Path=/; Max-Age=0; HttpOnly`);
+    if (typeof res.setHeader === 'function') res.setHeader('Set-Cookie', clears);
+  } catch {}
+  if (typeof res.status === 'function' && typeof res.json === 'function') {
+    return res.status(401).json({ error: 'Session revoked. Please sign in again.', code: 'session_revoked' });
+  }
+  res.statusCode = 401;
+  try { res.end('Session revoked'); } catch {}
+}
+
+/**
+ * Express-style middleware that rejects requests whose session/user is revoked.
+ * Starts background sync on first use. Fail-open and never throws.
+ *
+ * @param {object} [options]
+ * @param {(req)=>string} [options.getSessionId]  Custom session id extractor.
+ * @param {(req)=>string} [options.getUserId]     Custom user id extractor.
+ * @param {(req,res,next,ctx)=>void} [options.onRevoked]  Custom rejection handler.
+ * @param {number} [options.syncIntervalMs]
+ */
+function guard(options = {}) {
+  start(options);
+  if (options.captureWindowMs) _captureWindowMs = options.captureWindowMs;
+  const { getSessionId, getUserId } = options;
+  const onRevoked = options.onRevoked || defaultOnRevoked;
+  const doCapture = options.capture !== false; // emit session.seen by default
+  return function securenowSessionGuard(req, res, next) {
+    try {
+      const { sessionId, userId } = extractIdentity(req, getSessionId, getUserId);
+      // Detect: feed session-theft detection (deduped, fire-and-forget).
+      if (doCapture) emitSessionSeen(sessionId, userId, resolveClientIp(req));
+      // Respond: reject if this session/user has been revoked.
+      if (isRevoked({ sessionId, userId })) {
+        return onRevoked(req, res, next, { sessionId, userId });
+      }
+    } catch {
+      /* fail-open */
+    }
+    return next();
+  };
+}
+
+module.exports = { start, syncOnce, isRevoked, guard, capture, resolveClientIp, sha256 };