securenow 8.5.0 → 8.7.0

package/nextjs-wrapper.js

@@ -1,155 +1,234 @@
-/**
- * SecureNow Next.js API Route Wrapper for Body Capture
- * 
- * This approach is NON-INVASIVE and runs INSIDE your handler,
- * so it never blocks or interferes with middleware or routing.
- * 
- * Usage:
- * 
- * import { withSecureNow } from 'securenow/nextjs-wrapper';
- * 
- * export const POST = withSecureNow(async (request) => {
- *   // Your handler code - request.body is available as parsed JSON
- *   const data = await request.json();
- *   return Response.json({ success: true });
- * });
- */
-
-const { trace } = require('@opentelemetry/api');
-const appConfig = require('./app-config');
-
-// Default sensitive fields to redact
-const DEFAULT_SENSITIVE_FIELDS = [
-  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
-  'access_token', 'auth', 'credentials', 'mysql_pwd', 'stripeToken',
-  'card', 'cardnumber', 'ccv', 'cvc', 'cvv', 'ssn', 'pin',
-];
-
-/**
- * Redact sensitive fields from an object
- */
-function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
-  if (!obj || typeof obj !== 'object') return obj;
-  
-  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
-  
-  for (const key of Object.keys(redacted)) {
-    const lowerKey = key.toLowerCase();
-    
-    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
-      redacted[key] = '[REDACTED]';
-    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
-      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
-    }
-  }
-  
-  return redacted;
-}
-
-/**
- * Capture body from Request object (clone to avoid consuming)
- */
-async function captureRequestBody(request) {
-  const captureBody = appConfig.boolConfig('capture.body', true);
-  
-  if (!captureBody) return;
-  if (!['POST', 'PUT', 'PATCH'].includes(request.method)) return;
-  
-  const span = trace.getActiveSpan();
-  if (!span) return;
-  
-  try {
-    const contentType = request.headers.get('content-type') || '';
-    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
-    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
-    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
-    
-    // Only for supported types
-    if (!contentType.includes('application/json') && 
-        !contentType.includes('application/graphql') &&
-        !contentType.includes('application/x-www-form-urlencoded')) {
-      return;
-    }
-    
-    // Clone to avoid consuming the original
-    const cloned = request.clone();
-    const bodyText = await cloned.text();
-    
-    if (bodyText.length > maxBodySize) {
-      span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
-      span.setAttribute('http.request.body.size', bodyText.length);
-      return;
-    }
-    
-    // Parse and redact based on type
-    let redacted;
-    if (contentType.includes('application/json') || contentType.includes('application/graphql')) {
-      try {
-        const parsed = JSON.parse(bodyText);
-        redacted = redactSensitiveData(parsed, allSensitiveFields);
-        span.setAttributes({
-          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
-          'http.request.body.size': bodyText.length,
-        });
-      } catch (e) {
-        span.setAttribute('http.request.body', '[INVALID JSON]');
-      }
-    } else if (contentType.includes('application/x-www-form-urlencoded')) {
-      const params = new URLSearchParams(bodyText);
-      const parsed = Object.fromEntries(params);
-      redacted = redactSensitiveData(parsed, allSensitiveFields);
-      span.setAttributes({
-        'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
-        'http.request.body.type': 'form',
-        'http.request.body.size': bodyText.length,
-      });
-    }
-  } catch (error) {
-    // Silently fail - never block the request
-  }
-}
-
-/**
- * Wrap a Next.js API route handler to capture body
- * This is OPTIONAL and NON-INVASIVE - only use on routes where you want body capture
- */
-function withSecureNow(handler) {
-  return async function wrappedHandler(request, context) {
-    // Capture body asynchronously (doesn't block handler)
-    captureRequestBody(request).catch(() => {
-      // Ignore errors silently
-    });
-    
-    // Call original handler immediately - no blocking!
-    return handler(request, context);
-  };
-}
-
-/**
- * Alternative: Auto-capture wrapper that tries to capture AFTER handler runs
- * This is even safer as it never interferes with the handler logic
- */
-function withSecureNowAsync(handler) {
-  return async function wrappedHandler(request, context) {
-    // Try to capture body in background (non-blocking)
-    const capturePromise = captureRequestBody(request);
-    
-    // Run handler
-    const response = await handler(request, context);
-    
-    // Wait for capture to finish (but don't fail if it doesn't)
-    await capturePromise.catch(() => {});
-    
-    return response;
-  };
-}
-
-module.exports = {
-  withSecureNow,
-  withSecureNowAsync,
-  captureRequestBody,
-  redactSensitiveData,
-  DEFAULT_SENSITIVE_FIELDS,
-};
-
+/**
+ * SecureNow Next.js API Route Wrapper for Body Capture
+ * 
+ * This approach is NON-INVASIVE and runs INSIDE your handler,
+ * so it never blocks or interferes with middleware or routing.
+ * 
+ * Usage:
+ * 
+ * import { withSecureNow } from 'securenow/nextjs-wrapper';
+ * 
+ * export const POST = withSecureNow(async (request) => {
+ *   // Your handler code - request.body is available as parsed JSON
+ *   const data = await request.json();
+ *   return Response.json({ success: true });
+ * });
+ */
+
+const { trace } = require('@opentelemetry/api');
+const appConfig = require('./app-config');
+
+// Default sensitive fields to redact from request bodies.
+// Matched substring-wise against lowercased keys (see redactSensitiveData),
+// so e.g. 'card' also catches 'creditCard' and 'account' also catches
+// 'accountNumber'. Over-redaction here is intentional: a falsely-redacted
+// telemetry value is always safer than a leaked secret. Entries are kept
+// specific enough to avoid nuking broad benign keys (e.g. we use
+// 'firstname'/'lastname'/'fullname', never bare 'name').
+const DEFAULT_SENSITIVE_FIELDS = [
+  // credentials / auth
+  'password', 'passwd', 'pwd', 'secret', 'token', 'api_key', 'apikey',
+  'access_token', 'auth', 'authorization', 'bearer', 'credentials',
+  'mysql_pwd', 'otp', 'mfa', 'totp', 'sessionid', 'session_id',
+  'cookie', 'set-cookie',
+  // financial
+  'stripeToken', 'card', 'cardnumber', 'ccv', 'cvc', 'cvv',
+  'iban', 'account', 'accountnumber', 'routing', 'sortcode', 'taxid',
+  // PII
+  'ssn', 'pin', 'email', 'e_mail', 'phone', 'mobile', 'dob', 'birthdate',
+  'firstname', 'lastname', 'fullname', 'address', 'postcode', 'zip',
+  'passport', 'license',
+];
+
+// Conservative value-shape redactors. Key-name matching misses secrets that
+// land in free-form string values (GraphQL bodies, message fields, etc.), so
+// as a second layer we scrub string VALUES that *look like* a secret/PII.
+// These are intentionally precise/bounded so they don't garble normal prose,
+// and they only ever transform captured telemetry strings (read-only) — never
+// the actual request/response stream. Compiled once at module load.
+const VALUE_REDACTORS = [
+  // JWT: three base64url segments. Anchored to the eyJ header so it won't
+  // match arbitrary dotted tokens.
+  { name: 'jwt', re: /eyJ[A-Za-z0-9_-]{6,}\.[A-Za-z0-9_-]{4,}\.[A-Za-z0-9_-]{4,}/g },
+  // Bearer/Basic auth header value embedded in a body string.
+  { name: 'bearer', re: /\b(?:Bearer|Basic)\s+[A-Za-z0-9._~+/=-]{8,}/gi },
+  // Stripe-style / SecureNow live+test API keys.
+  { name: 'apikey', re: /\b(?:sk|pk|rk|snk)_(?:live|test)_[A-Za-z0-9]{8,}/g },
+  // Email addresses (bounded local/domain parts).
+  { name: 'email', re: /\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,24}\b/g },
+  // Credit-card-like: 13–19 digit runs that pass a Luhn check, allowing
+  // space/dash grouping. Luhn-gated to avoid clobbering ordinary long numbers.
+  { name: 'card', re: /\b(?:\d[ -]?){13,19}\b/g, luhn: true },
+];
+
+// Skip the value-shape scan on very large strings to bound per-body cost.
+const MAX_VALUE_SCAN_LENGTH = 16384;
+
+function luhnValid(digits) {
+  let sum = 0;
+  let alt = false;
+  for (let i = digits.length - 1; i >= 0; i--) {
+    let d = digits.charCodeAt(i) - 48;
+    if (d < 0 || d > 9) return false;
+    if (alt) { d *= 2; if (d > 9) d -= 9; }
+    sum += d;
+    alt = !alt;
+  }
+  return sum % 10 === 0;
+}
+
+/**
+ * Redact obvious secret/PII shapes inside a captured string VALUE.
+ * Returns the input unchanged when nothing matches (cheap common case).
+ */
+function redactSensitiveValue(value) {
+  if (typeof value !== 'string' || value.length === 0) return value;
+  if (value.length > MAX_VALUE_SCAN_LENGTH) return value; // bound the work
+  let out = value;
+  for (const r of VALUE_REDACTORS) {
+    r.re.lastIndex = 0;
+    if (r.luhn) {
+      out = out.replace(r.re, (m) => {
+        const digits = m.replace(/[ -]/g, '');
+        if (digits.length < 13 || digits.length > 19) return m;
+        return luhnValid(digits) ? '[REDACTED]' : m;
+      });
+    } else {
+      out = out.replace(r.re, '[REDACTED]');
+    }
+  }
+  return out;
+}
+
+/**
+ * Redact sensitive fields from an object
+ */
+function redactSensitiveData(obj, sensitiveFields = DEFAULT_SENSITIVE_FIELDS) {
+  if (!obj || typeof obj !== 'object') return obj;
+
+  const redacted = Array.isArray(obj) ? [...obj] : { ...obj };
+
+  for (const key of Object.keys(redacted)) {
+    const lowerKey = key.toLowerCase();
+
+    if (sensitiveFields.some(field => lowerKey.includes(field.toLowerCase()))) {
+      redacted[key] = '[REDACTED]';
+    } else if (typeof redacted[key] === 'object' && redacted[key] !== null) {
+      redacted[key] = redactSensitiveData(redacted[key], sensitiveFields);
+    } else if (typeof redacted[key] === 'string') {
+      // Second layer: even if the key name looks benign, scrub values that
+      // *look like* a secret/PII (JWT, bearer token, API key, email, card).
+      redacted[key] = redactSensitiveValue(redacted[key]);
+    }
+  }
+
+  return redacted;
+}
+
+/**
+ * Capture body from Request object (clone to avoid consuming)
+ */
+async function captureRequestBody(request) {
+  const captureBody = appConfig.boolConfig('capture.body', true);
+  
+  if (!captureBody) return;
+  if (!['POST', 'PUT', 'PATCH'].includes(request.method)) return;
+  
+  const span = trace.getActiveSpan();
+  if (!span) return;
+  
+  try {
+    const contentType = request.headers.get('content-type') || '';
+    const maxBodySize = appConfig.numberConfig('capture.maxBodySize', 10240, 1024);
+    const customSensitiveFields = appConfig.listConfig('capture.sensitiveFields');
+    const allSensitiveFields = [...DEFAULT_SENSITIVE_FIELDS, ...customSensitiveFields];
+    
+    // Only for supported types
+    if (!contentType.includes('application/json') && 
+        !contentType.includes('application/graphql') &&
+        !contentType.includes('application/x-www-form-urlencoded')) {
+      return;
+    }
+    
+    // Clone to avoid consuming the original
+    const cloned = request.clone();
+    const bodyText = await cloned.text();
+    
+    if (bodyText.length > maxBodySize) {
+      span.setAttribute('http.request.body', `[TOO LARGE: ${bodyText.length} bytes]`);
+      span.setAttribute('http.request.body.size', bodyText.length);
+      return;
+    }
+    
+    // Parse and redact based on type
+    let redacted;
+    if (contentType.includes('application/json') || contentType.includes('application/graphql')) {
+      try {
+        const parsed = JSON.parse(bodyText);
+        redacted = redactSensitiveData(parsed, allSensitiveFields);
+        span.setAttributes({
+          'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+          'http.request.body.type': contentType.includes('graphql') ? 'graphql' : 'json',
+          'http.request.body.size': bodyText.length,
+        });
+      } catch (e) {
+        span.setAttribute('http.request.body', '[INVALID JSON]');
+      }
+    } else if (contentType.includes('application/x-www-form-urlencoded')) {
+      const params = new URLSearchParams(bodyText);
+      const parsed = Object.fromEntries(params);
+      redacted = redactSensitiveData(parsed, allSensitiveFields);
+      span.setAttributes({
+        'http.request.body': JSON.stringify(redacted).substring(0, maxBodySize),
+        'http.request.body.type': 'form',
+        'http.request.body.size': bodyText.length,
+      });
+    }
+  } catch (error) {
+    // Silently fail - never block the request
+  }
+}
+
+/**
+ * Wrap a Next.js API route handler to capture body
+ * This is OPTIONAL and NON-INVASIVE - only use on routes where you want body capture
+ */
+function withSecureNow(handler) {
+  return async function wrappedHandler(request, context) {
+    // Capture body asynchronously (doesn't block handler)
+    captureRequestBody(request).catch(() => {
+      // Ignore errors silently
+    });
+    
+    // Call original handler immediately - no blocking!
+    return handler(request, context);
+  };
+}
+
+/**
+ * Alternative: Auto-capture wrapper that tries to capture AFTER handler runs
+ * This is even safer as it never interferes with the handler logic
+ */
+function withSecureNowAsync(handler) {
+  return async function wrappedHandler(request, context) {
+    // Try to capture body in background (non-blocking)
+    const capturePromise = captureRequestBody(request);
+    
+    // Run handler
+    const response = await handler(request, context);
+    
+    // Wait for capture to finish (but don't fail if it doesn't)
+    await capturePromise.catch(() => {});
+    
+    return response;
+  };
+}
+
+module.exports = {
+  withSecureNow,
+  withSecureNowAsync,
+  captureRequestBody,
+  redactSensitiveData,
+  DEFAULT_SENSITIVE_FIELDS,
+};
+