servcraft 0.1.0 → 0.1.3

package/src/modules/search/types.ts

@@ -0,0 +1,214 @@
+export type SearchEngineType = 'elasticsearch' | 'meilisearch' | 'memory';
+
+export interface SearchConfig {
+  /** Search engine to use */
+  engine?: SearchEngineType;
+  /** Elasticsearch config */
+  elasticsearch?: {
+    node: string;
+    auth?: {
+      username: string;
+      password: string;
+    };
+    apiKey?: string;
+  };
+  /** Meilisearch config */
+  meilisearch?: {
+    host: string;
+    apiKey?: string;
+  };
+  /** Default index settings */
+  defaultSettings?: IndexSettings;
+}
+
+export interface IndexSettings {
+  /** Searchable attributes */
+  searchableAttributes?: string[];
+  /** Attributes to display in results */
+  displayedAttributes?: string[];
+  /** Filterable attributes */
+  filterableAttributes?: string[];
+  /** Sortable attributes */
+  sortableAttributes?: string[];
+  /** Ranking rules */
+  rankingRules?: string[];
+  /** Stop words */
+  stopWords?: string[];
+  /** Synonyms */
+  synonyms?: Record<string, string[]>;
+  /** Number of replicas */
+  numberOfReplicas?: number;
+  /** Number of shards */
+  numberOfShards?: number;
+}
+
+export interface SearchDocument {
+  /** Document unique ID */
+  id: string;
+  /** Document data */
+  [key: string]: unknown;
+}
+
+export interface SearchQuery {
+  /** Search query string */
+  query: string;
+  /** Filters to apply */
+  filters?: SearchFilter[];
+  /** Fields to search in */
+  fields?: string[];
+  /** Limit results */
+  limit?: number;
+  /** Offset for pagination */
+  offset?: number;
+  /** Sort options */
+  sort?: SearchSort[];
+  /** Facets to compute */
+  facets?: string[];
+  /** Highlight matches */
+  highlight?: boolean;
+  /** Fuzzy search threshold (0-1) */
+  fuzziness?: number;
+}
+
+export interface SearchFilter {
+  /** Field to filter on */
+  field: string;
+  /** Filter operator */
+  operator: 'eq' | 'ne' | 'gt' | 'gte' | 'lt' | 'lte' | 'in' | 'nin' | 'contains' | 'exists';
+  /** Filter value */
+  value: unknown;
+}
+
+export interface SearchSort {
+  /** Field to sort by */
+  field: string;
+  /** Sort direction */
+  direction: 'asc' | 'desc';
+}
+
+export interface SearchResult<T = SearchDocument> {
+  /** Matched documents */
+  hits: SearchHit<T>[];
+  /** Total number of matches */
+  total: number;
+  /** Query processing time (ms) */
+  processingTime: number;
+  /** Current page */
+  page?: number;
+  /** Total pages */
+  totalPages?: number;
+  /** Facet results */
+  facets?: Record<string, FacetResult>;
+}
+
+export interface SearchHit<T = SearchDocument> {
+  /** Document */
+  document: T;
+  /** Relevance score */
+  score?: number;
+  /** Highlighted fields */
+  highlights?: Record<string, string[]>;
+  /** Matched terms */
+  matchedTerms?: string[];
+}
+
+export interface FacetResult {
+  /** Facet values and counts */
+  values: Array<{
+    value: string;
+    count: number;
+  }>;
+  /** Total unique values */
+  total: number;
+}
+
+export interface AutocompleteResult {
+  /** Suggestions */
+  suggestions: string[];
+  /** Documents matching suggestions */
+  documents?: SearchDocument[];
+  /** Processing time (ms) */
+  processingTime: number;
+}
+
+export interface IndexStats {
+  /** Index name */
+  name: string;
+  /** Total documents */
+  documentCount: number;
+  /** Index size in bytes */
+  size: number;
+  /** Is indexing in progress */
+  isIndexing: boolean;
+  /** Last update timestamp */
+  lastUpdate?: Date;
+  /** Health status */
+  health?: 'green' | 'yellow' | 'red';
+}
+
+export interface BulkIndexOperation {
+  /** Operation type */
+  operation: 'index' | 'update' | 'delete';
+  /** Document ID */
+  id: string;
+  /** Document data (for index/update) */
+  document?: SearchDocument;
+}
+
+export interface BulkIndexResult {
+  /** Successful operations */
+  success: number;
+  /** Failed operations */
+  failed: number;
+  /** Error details */
+  errors?: Array<{
+    id: string;
+    error: string;
+  }>;
+  /** Processing time (ms) */
+  processingTime: number;
+}
+
+export interface SearchSuggestion {
+  /** Suggestion text */
+  text: string;
+  /** Score/relevance */
+  score: number;
+  /** Highlighted version */
+  highlighted?: string;
+}
+
+export interface SearchEngine {
+  /** Index a document */
+  index(indexName: string, id: string, document: SearchDocument): Promise<void>;
+
+  /** Bulk index documents */
+  bulkIndex(indexName: string, operations: BulkIndexOperation[]): Promise<BulkIndexResult>;
+
+  /** Search documents */
+  search<T = SearchDocument>(indexName: string, query: SearchQuery): Promise<SearchResult<T>>;
+
+  /** Delete document */
+  delete(indexName: string, id: string): Promise<void>;
+
+  /** Update document */
+  update(indexName: string, id: string, document: Partial<SearchDocument>): Promise<void>;
+
+  /** Get document by ID */
+  get(indexName: string, id: string): Promise<SearchDocument | null>;
+
+  /** Create index */
+  createIndex(indexName: string, settings?: IndexSettings): Promise<void>;
+
+  /** Delete index */
+  deleteIndex(indexName: string): Promise<void>;
+
+  /** Update index settings */
+  updateSettings(indexName: string, settings: IndexSettings): Promise<void>;
+
+  /** Get index stats */
+  getStats(indexName: string): Promise<IndexStats>;
+
+  /** Autocomplete */
+  autocomplete(indexName: string, query: string, limit?: number): Promise<AutocompleteResult>;
+}

package/src/modules/security/index.ts

@@ -0,0 +1,40 @@
+/**
+ * Security Module
+ * Comprehensive security features for the application
+ */
+
+// Sanitization
+export {
+  escapeHtml,
+  stripDangerousHtml,
+  sanitizeString,
+  sanitizeObject,
+  sanitizeSqlPatterns,
+  sanitizeUrl,
+  sanitizeFilename,
+  sanitizeForJson,
+  containsDangerousContent,
+  type SanitizeOptions,
+  type SanitizeMiddlewareOptions,
+} from './sanitize.js';
+
+// Middleware
+export {
+  sanitizeInput,
+  csrfProtection,
+  generateCsrfToken,
+  hppProtection,
+  securityHeaders,
+  requestSizeLimit,
+  suspiciousActivityDetection,
+  registerSecurityMiddlewares,
+} from './security.middleware.js';
+
+// Security Audit
+export {
+  SecurityAuditService,
+  getSecurityAuditService,
+  type SecurityEvent,
+  type SecurityEventType,
+  type SecurityEventInput,
+} from './security-audit.service.js';

package/src/modules/security/sanitize.ts

@@ -0,0 +1,223 @@
+/**
+ * Input Sanitization Module
+ * Prevents XSS attacks by sanitizing user input
+ */
+
+// HTML entities to escape
+const HTML_ENTITIES: Record<string, string> = {
+  '&': '&amp;',
+  '<': '&lt;',
+  '>': '&gt;',
+  '"': '&quot;',
+  "'": '&#x27;',
+  '/': '&#x2F;',
+  '`': '&#x60;',
+  '=': '&#x3D;',
+};
+
+// Regex patterns for dangerous content
+const SCRIPT_PATTERN = /<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi;
+const EVENT_HANDLER_PATTERN = /\s*on\w+\s*=\s*(['"])[^'"]*\1/gi;
+const JAVASCRIPT_URL_PATTERN = /javascript\s*:/gi;
+const DATA_URL_PATTERN = /data\s*:/gi;
+const EXPRESSION_PATTERN = /expression\s*\(/gi;
+const VBSCRIPT_PATTERN = /vbscript\s*:/gi;
+
+/**
+ * Escape HTML special characters
+ */
+export function escapeHtml(str: string): string {
+  if (typeof str !== 'string') return str;
+  return str.replace(/[&<>"'`=/]/g, (char) => HTML_ENTITIES[char] || char);
+}
+
+/**
+ * Remove dangerous HTML tags and attributes
+ */
+export function stripDangerousHtml(str: string): string {
+  if (typeof str !== 'string') return str;
+
+  return str
+    .replace(SCRIPT_PATTERN, '')
+    .replace(EVENT_HANDLER_PATTERN, '')
+    .replace(JAVASCRIPT_URL_PATTERN, '')
+    .replace(DATA_URL_PATTERN, '')
+    .replace(EXPRESSION_PATTERN, '')
+    .replace(VBSCRIPT_PATTERN, '');
+}
+
+/**
+ * Sanitize a string for safe output
+ */
+export function sanitizeString(str: string, options: SanitizeOptions = {}): string {
+  if (typeof str !== 'string') return str;
+
+  const { escapeHtmlChars = true, stripScripts = true, trim = true, maxLength } = options;
+
+  let result = str;
+
+  if (trim) {
+    result = result.trim();
+  }
+
+  if (stripScripts) {
+    result = stripDangerousHtml(result);
+  }
+
+  if (escapeHtmlChars) {
+    result = escapeHtml(result);
+  }
+
+  if (maxLength && result.length > maxLength) {
+    result = result.substring(0, maxLength);
+  }
+
+  return result;
+}
+
+/**
+ * Sanitize an object recursively
+ */
+export function sanitizeObject<T extends Record<string, unknown>>(
+  obj: T,
+  options: SanitizeOptions = {}
+): T {
+  if (obj === null || typeof obj !== 'object') {
+    return obj;
+  }
+
+  if (Array.isArray(obj)) {
+    return obj.map((item) => {
+      if (typeof item === 'string') {
+        return sanitizeString(item, options);
+      }
+      if (typeof item === 'object' && item !== null) {
+        return sanitizeObject(item as Record<string, unknown>, options);
+      }
+      return item;
+    }) as unknown as T;
+  }
+
+  const sanitized: Record<string, unknown> = {};
+
+  for (const [key, value] of Object.entries(obj)) {
+    // Sanitize the key as well (prevent prototype pollution)
+    const safeKey = sanitizeString(key, { escapeHtmlChars: false, stripScripts: true });
+
+    // Skip dangerous keys
+    if (safeKey === '__proto__' || safeKey === 'constructor' || safeKey === 'prototype') {
+      continue;
+    }
+
+    if (typeof value === 'string') {
+      sanitized[safeKey] = sanitizeString(value, options);
+    } else if (typeof value === 'object' && value !== null) {
+      sanitized[safeKey] = sanitizeObject(value as Record<string, unknown>, options);
+    } else {
+      sanitized[safeKey] = value;
+    }
+  }
+
+  return sanitized as T;
+}
+
+/**
+ * Sanitize SQL-like patterns (additional protection layer)
+ * Note: Prisma already handles SQL injection, this is defense-in-depth
+ */
+export function sanitizeSqlPatterns(str: string): string {
+  if (typeof str !== 'string') return str;
+
+  return str
+    .replace(/--/g, '')
+    .replace(/;/g, '')
+    .replace(/\/\*/g, '')
+    .replace(/\*\//g, '')
+    .replace(/xp_/gi, '')
+    .replace(/union\s+select/gi, '')
+    .replace(/insert\s+into/gi, '')
+    .replace(/drop\s+table/gi, '')
+    .replace(/delete\s+from/gi, '');
+}
+
+/**
+ * Sanitize for safe URL usage
+ */
+export function sanitizeUrl(url: string): string {
+  if (typeof url !== 'string') return '';
+
+  const sanitized = url.trim().toLowerCase();
+
+  // Block dangerous protocols
+  if (
+    sanitized.startsWith('javascript:') ||
+    sanitized.startsWith('data:') ||
+    sanitized.startsWith('vbscript:')
+  ) {
+    return '';
+  }
+
+  return url;
+}
+
+/**
+ * Sanitize filename for safe storage
+ */
+export function sanitizeFilename(filename: string): string {
+  if (typeof filename !== 'string') return '';
+
+  return filename
+    .replace(/[^a-zA-Z0-9._-]/g, '_') // Replace unsafe chars with underscore
+    .replace(/\.{2,}/g, '.') // Remove multiple dots
+    .replace(/^\.+|\.+$/g, '') // Remove leading/trailing dots
+    .substring(0, 255); // Limit length
+}
+
+/**
+ * Sanitize for JSON output (prevent JSON injection)
+ */
+export function sanitizeForJson(str: string): string {
+  if (typeof str !== 'string') return str;
+
+  return str
+    .replace(/\\/g, '\\\\')
+    .replace(/"/g, '\\"')
+    .replace(/\n/g, '\\n')
+    .replace(/\r/g, '\\r')
+    .replace(/\t/g, '\\t');
+}
+
+/**
+ * Check if a string contains potentially dangerous content
+ */
+export function containsDangerousContent(str: string): boolean {
+  if (typeof str !== 'string') return false;
+
+  return (
+    SCRIPT_PATTERN.test(str) ||
+    EVENT_HANDLER_PATTERN.test(str) ||
+    JAVASCRIPT_URL_PATTERN.test(str) ||
+    /<iframe/i.test(str) ||
+    /<object/i.test(str) ||
+    /<embed/i.test(str) ||
+    /<form/i.test(str)
+  );
+}
+
+export interface SanitizeOptions {
+  /** Escape HTML characters (default: true) */
+  escapeHtmlChars?: boolean;
+  /** Strip script tags and event handlers (default: true) */
+  stripScripts?: boolean;
+  /** Trim whitespace (default: true) */
+  trim?: boolean;
+  /** Maximum length of string */
+  maxLength?: number;
+}
+
+export interface SanitizeMiddlewareOptions extends SanitizeOptions {
+  /** Fields to skip sanitization */
+  skipFields?: string[];
+  /** Only sanitize these fields */
+  onlyFields?: string[];
+}