npm - xypriss - Versions diffs - 9.10.19 → 9.10.21 - Mend

xypriss 9.10.19 → 9.10.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (946) hide show

package/dist/src/middleware/security-middleware.js DELETED Viewed

@@ -1,1026 +0,0 @@
-/**
- * XyPriss Security Middleware
- * Comprehensive security middleware using BuiltInMiddleware as single source of truth
- */
-import { Random } from "xypriss-security";
-import { SQLInjectionDetector, PathTraversalDetector, CommandInjectionDetector, XXEProtector, LDAPInjectionDetector, MobileOnlyProtector, } from "./built-in/security";
-import { Logger } from "../shared/logger/Logger";
-import { BuiltInMiddleware } from "./built-in/BuiltInMiddleware";
-import xss from "xss"; // Used for custom XSS sanitization logic
-/**
- * Security middleware class implementing comprehensive protection
- * Implements SecurityConfig interface to ensure type safety
- */
-export class SecurityMiddleware {
-    constructor(config = {}, logger) {
-        // Initialize logger (create default if not provided)
-        this.logger =
-            logger ||
-                new Logger({
-                    enabled: true,
-                    level: "debug",
-                    components: { security: true },
-                    types: { debug: true },
-                });
-        // Set defaults and merge with provided config
-        this.level = config.level || "enhanced";
-        this._ignore = config._ignore || [];
-        this._ignoreAll = config._ignoreAll || [];
-        this.csrf = config.csrf !== false ? config.csrf || true : false;
-        this.helmet = config.helmet !== false ? config.helmet || true : false;
-        this.xss = config.xss !== false ? config.xss || true : false;
-        this.sqlInjection =
-            config.sqlInjection !== false ? config.sqlInjection || true : false;
-        this.pathTraversal =
-            config.pathTraversal !== false
-                ? config.pathTraversal || false
-                : false;
-        this.commandInjection =
-            config.commandInjection !== false
-                ? config.commandInjection || false
-                : false;
-        this.xxe = config.xxe !== false ? config.xxe || false : false;
-        this.ldapInjection =
-            config.ldapInjection !== false
-                ? config.ldapInjection || false
-                : false;
-        this.bruteForce =
-            config.bruteForce !== false ? config.bruteForce || true : false;
-        this.rateLimit =
-            config.rateLimit !== false ? config.rateLimit || true : false;
-        // If rateLimit is explicitly configured as an object, disable bruteForce to avoid conflicts
-        if (typeof config.rateLimit === "object" && config.rateLimit !== null) {
-            this.bruteForce = false;
-            this.logger.debug("security", "Brute force protection disabled because rateLimit is explicitly configured");
-        }
-        this.cors = config.cors !== false ? config.cors || true : false;
-        this.compression =
-            config.compression !== false ? config.compression || true : false;
-        this.hpp = config.hpp !== false ? config.hpp || true : false;
-        this.mongoSanitize =
-            config.mongoSanitize !== false
-                ? config.mongoSanitize || true
-                : false;
-        this.slowDown =
-            config.slowDown !== false ? config.slowDown || true : false;
-        this.browserOnly =
-            config.browserOnly !== false ? config.browserOnly || false : false;
-        this.terminalOnly =
-            config.terminalOnly !== false
-                ? config.terminalOnly || false
-                : false;
-        this.requestSignature =
-            config.requestSignature !== false
-                ? config.requestSignature || false
-                : false;
-        this.mobileOnly =
-            config.mobileOnly !== false ? config.mobileOnly || false : false;
-        this.deviceAccess = config.deviceAccess;
-        // If deviceAccess is provided, override individual settings
-        if (this.deviceAccess) {
-            this.browserOnly = this.deviceAccess.browserOnly || false;
-            this.terminalOnly = this.deviceAccess.terminalOnly || false;
-            this.mobileOnly = this.deviceAccess.mobileOnly || false;
-        }
-        // Validate device access configuration
-        this.validateDeviceAccessConfig();
-        this.encryption = {
-            algorithm: "AES-256-GCM",
-            keySize: 32,
-            ...config.encryption,
-        };
-        this.authentication = {
-            jwt: {
-                secret: config.authentication?.jwt?.secret ||
-                    Random.generateSecureToken(32).toString("hex"),
-                expiresIn: config.authentication?.jwt?.expiresIn || "1h",
-                algorithm: config.authentication?.jwt?.algorithm || "HS256",
-            },
-            session: {
-                secret: config.authentication?.session?.secret ||
-                    Random.generateSecureToken(32).toString("hex"),
-                name: config.authentication?.session?.name ||
-                    "xypriss.nehonix.sid",
-                cookie: {
-                    maxAge: 24 * 60 * 60 * 1000, // 24 hours
-                    secure: true,
-                    httpOnly: true,
-                    sameSite: "strict",
-                    ...config.authentication?.session?.cookie,
-                },
-            },
-            ...config.authentication,
-        };
-        // Store route configuration
-        this.routeConfig = config.routeConfig;
-        // Initialize security detectors
-        this.sqlInjectionDetector = new SQLInjectionDetector({
-            strictMode: typeof this.sqlInjection === "object"
-                ? this.sqlInjection.strictMode
-                : false,
-            contextualAnalysis: typeof this.sqlInjection === "object"
-                ? this.sqlInjection.contextualAnalysis
-                : true,
-            logAttempts: typeof this.sqlInjection === "object"
-                ? this.sqlInjection.logAttempts
-                : true,
-            falsePositiveThreshold: typeof this.sqlInjection === "object"
-                ? this.sqlInjection.falsePositiveThreshold
-                : 0.6,
-            maxLength: typeof this.sqlInjection === "object"
-                ? this.sqlInjection.maxLength
-                : 1000,
-        });
-        this.pathTraversalDetector = new PathTraversalDetector({
-            enabled: !!this.pathTraversal,
-            strictMode: typeof this.pathTraversal === "object"
-                ? this.pathTraversal.strictMode
-                : false,
-            logAttempts: typeof this.pathTraversal === "object"
-                ? this.pathTraversal.logAttempts
-                : true,
-            blockOnDetection: typeof this.pathTraversal === "object"
-                ? this.pathTraversal.blockOnDetection
-                : true,
-            allowedPaths: typeof this.pathTraversal === "object"
-                ? this.pathTraversal.allowedPaths
-                : [],
-            allowedExtensions: typeof this.pathTraversal === "object"
-                ? this.pathTraversal.allowedExtensions
-                : [".jpg", ".png", ".pdf", ".txt"],
-            maxDepth: typeof this.pathTraversal === "object"
-                ? this.pathTraversal.maxDepth
-                : 3,
-            falsePositiveThreshold: typeof this.pathTraversal === "object"
-                ? this.pathTraversal.falsePositiveThreshold
-                : 0.6,
-        });
-        this.commandInjectionDetector = new CommandInjectionDetector({
-            enabled: !!this.commandInjection,
-            strictMode: typeof this.commandInjection === "object"
-                ? this.commandInjection.strictMode
-                : false,
-            logAttempts: typeof this.commandInjection === "object"
-                ? this.commandInjection.logAttempts
-                : true,
-            blockOnDetection: typeof this.commandInjection === "object"
-                ? this.commandInjection.blockOnDetection
-                : true,
-            contextualAnalysis: typeof this.commandInjection === "object"
-                ? this.commandInjection.contextualAnalysis
-                : true,
-            allowedCommands: typeof this.commandInjection === "object"
-                ? this.commandInjection.allowedCommands
-                : [],
-            falsePositiveThreshold: typeof this.commandInjection === "object"
-                ? this.commandInjection.falsePositiveThreshold
-                : 0.7,
-        });
-        this.xxeProtector = new XXEProtector({
-            enabled: !!this.xxe,
-            strictMode: typeof this.xxe === "object" ? this.xxe.strictMode : true,
-            logAttempts: typeof this.xxe === "object" ? this.xxe.logAttempts : true,
-            blockOnDetection: typeof this.xxe === "object" ? this.xxe.blockOnDetection : true,
-            allowDTD: typeof this.xxe === "object" ? this.xxe.allowDTD : false,
-            allowExternalEntities: typeof this.xxe === "object"
-                ? this.xxe.allowExternalEntities
-                : false,
-            maxEntityExpansions: typeof this.xxe === "object" ? this.xxe.maxEntityExpansions : 0,
-        });
-        this.ldapInjectionDetector = new LDAPInjectionDetector({
-            enabled: !!this.ldapInjection,
-            strictMode: typeof this.ldapInjection === "object"
-                ? this.ldapInjection.strictMode
-                : false,
-            logAttempts: typeof this.ldapInjection === "object"
-                ? this.ldapInjection.logAttempts
-                : true,
-            blockOnDetection: typeof this.ldapInjection === "object"
-                ? this.ldapInjection.blockOnDetection
-                : true,
-            falsePositiveThreshold: typeof this.ldapInjection === "object"
-                ? this.ldapInjection.falsePositiveThreshold
-                : 0.6,
-        });
-        // Initialize all middleware instances
-        this.initializeMiddleware();
-    }
-    /**
-     * Initialize all security middleware instances using BuiltInMiddleware
-     * BuiltInMiddleware is the single source of truth for all middleware wrappers
-     */
-    initializeMiddleware() {
-        // Helmet for security headers
-        if (this.helmet) {
-            const helmetConfig = typeof this.helmet === "object" ? this.helmet : {};
-            // Prepare CSP configuration with proper merging
-            let cspConfig = false;
-            if (this.level === "maximum") {
-                cspConfig = {
-                    directives: {
-                        defaultSrc: ["'self'"],
-                        styleSrc: ["'self'", "'unsafe-inline'"],
-                        scriptSrc: ["'self'"],
-                        imgSrc: ["'self'", "data:", "https:"],
-                    },
-                };
-            }
-            else if (helmetConfig.contentSecurityPolicy) {
-                // Merge user CSP config with defaults from BuiltInMiddleware
-                cspConfig = helmetConfig.contentSecurityPolicy; // BuiltInMiddleware will handle merging
-            }
-            this.logger.debug("security", "Final cspConfig:", cspConfig);
-            this.helmetMiddleware = BuiltInMiddleware.helmet({
-                contentSecurityPolicy: cspConfig,
-                hsts: this.level !== "basic" || helmetConfig.hsts
-                    ? helmetConfig.hsts
-                    : undefined,
-                crossOriginEmbedderPolicy: this.level === "maximum",
-            });
-        }
-        // CORS middleware - use config if provided, otherwise use defaults
-        if (this.cors !== false) {
-            const corsConfig = typeof this.cors === "object"
-                ? this.cors
-                : {
-                    origin: this.level === "maximum" ? false : true,
-                    credentials: true,
-                    optionsSuccessStatus: 200,
-                };
-            this.logger.debug("security", `Initializing CORS with config: ${JSON.stringify(corsConfig)}`);
-            this.corsMiddleware = BuiltInMiddleware.cors(corsConfig);
-        }
-        // General rate limiting (separate from brute force protection)
-        if (this.rateLimit) {
-            const rateLimitConfig = typeof this.rateLimit === "object" ? this.rateLimit : {};
-            const maxRequests = rateLimitConfig.max || 100; // Default 100 requests
-            this.rateLimitMiddleware = BuiltInMiddleware.rateLimit({
-                windowMs: rateLimitConfig.windowMs || 15 * 60 * 1000, // 15 minutes
-                max: maxRequests,
-                message: rateLimitConfig.message, // BuiltInMiddleware will handle format conversion
-                standardHeaders: rateLimitConfig.standardHeaders !== false,
-                legacyHeaders: false,
-                skip: (req, res) => {
-                    // Custom skip function
-                    if (typeof rateLimitConfig.skip === "function") {
-                        // If a skip function is provided, it takes full control
-                        return rateLimitConfig.skip(req, res);
-                    }
-                    // Excluded paths (only used if no skip function is provided)
-                    if (rateLimitConfig.excludePaths &&
-                        Array.isArray(rateLimitConfig.excludePaths)) {
-                        return rateLimitConfig.excludePaths.some((p) => {
-                            if (typeof p === "string") {
-                                return (req.path === p || req.path.startsWith(p));
-                            }
-                            if (p instanceof RegExp) {
-                                return p.test(req.path);
-                            }
-                            return false;
-                        });
-                    }
-                    return false;
-                },
-            });
-            this.logger.debug("security", `General rate limiting initialized with max: ${maxRequests} requests per ${Math.ceil((rateLimitConfig.windowMs || 15 * 60 * 1000) / 1000)}s window`);
-        }
-        // CSRF protection using BuiltInMiddleware
-        if (this.csrf) {
-            this.logger.debug("security", "Initializing CSRF protection");
-            const csrfConfig = typeof this.csrf === "object" ? this.csrf : {};
-            this.csrfMiddleware = BuiltInMiddleware.csrf({
-                getSecret: (req) => this.authentication.session?.secret ||
-                    "ac934dfcffc9e037b6921b6d4e874e788bfba7c5f48d17332ef92c9c67450000",
-                getSessionIdentifier: (req) => req.session?.id,
-                cookieName: csrfConfig.cookieName || "__Host-csrf-token",
-                cookieOptions: {
-                    httpOnly: true,
-                    sameSite: "strict",
-                    secure: process.env.NODE_ENV === "production",
-                    maxAge: 24 * 60 * 60 * 1000, // 24 hours
-                    ...(csrfConfig.cookieOptions || {}),
-                },
-            });
-        }
-        this.logger.debug("security", "CSRF protection initialized");
-        // Browser-only protection
-        if (this.isBrowserOnlyEnabled()) {
-            this.logger.debug("security", "Initializing browser-only protection");
-            const browserOnlyConfig = typeof this.browserOnly === "object" ? this.browserOnly : {};
-            this.browserOnlyMiddleware =
-                BuiltInMiddleware.browserOnly(browserOnlyConfig);
-        }
-        // Terminal-only protection
-        if (this.isTerminalOnlyEnabled()) {
-            const terminalOnlyConfig = typeof this.terminalOnly === "object" ? this.terminalOnly : {};
-            this.terminalOnlyMiddleware =
-                BuiltInMiddleware.terminalOnly(terminalOnlyConfig);
-        }
-        // Mobile-only protection
-        if (this.isMobileOnlyEnabled()) {
-            const mobileOnlyConfig = typeof this.mobileOnly === "object" ? this.mobileOnly : {};
-            this.mobileOnlyMiddleware =
-                BuiltInMiddleware.mobileOnly(mobileOnlyConfig);
-            // Also create the protector instance for mobile detection
-            this.mobileOnlyProtector = new MobileOnlyProtector(mobileOnlyConfig, this.logger);
-        }
-        // Request signature protection (API authentication)
-        if (this.requestSignature) {
-            const requestSignatureConfig = typeof this.requestSignature === "object" &&
-                this.requestSignature !== null
-                ? this.requestSignature
-                : { secret: "default-secret" }; // This will be overridden by user config
-            this.requestSignatureMiddleware =
-                BuiltInMiddleware.requestSignature(requestSignatureConfig);
-        }
-        // Compression middleware
-        if (this.compression) {
-            const compressionConfig = typeof this.compression === "object" ? this.compression : {};
-            this.compressionMiddleware = BuiltInMiddleware.compression({
-                level: compressionConfig.level || 6,
-                threshold: compressionConfig.threshold || 1024,
-                filter: compressionConfig.filter,
-            });
-        }
-        // HTTP Parameter Pollution protection
-        if (this.hpp) {
-            const hppConfig = typeof this.hpp === "object" ? this.hpp : {};
-            this.hppMiddleware = BuiltInMiddleware.hpp({
-                whitelist: hppConfig.whitelist || ["tags", "categories"],
-                checkQuery: hppConfig.checkQuery !== false,
-                checkBody: hppConfig.checkBody !== false,
-            });
-        }
-    }
-    /**
-     * Get the main security middleware stack
-     * Returns a single middleware function that applies all security measures
-     */
-    getMiddleware() {
-        return (req, res, next) => {
-            this.applySecurityStack(req, res, next);
-        };
-    }
-    /**
-     * Apply all security middleware in the correct order
-     */
-    applySecurityStack(req, res, next) {
-        this.logger.debug("security", "Starting security middleware stack");
-        const middlewareStack = [];
-        // 🚨 CRITICAL: Access control middlewares FIRST (before any other processing)
-        // These must run before route resolution to block unwanted requests
-        // Handle device access controls
-        const browserEnabled = this.isBrowserOnlyEnabled();
-        const terminalEnabled = this.isTerminalOnlyEnabled();
-        const mobileEnabled = this.isMobileOnlyEnabled();
-        // 1. Terminal-only protection (blocks browser requests) - cannot be combined with others
-        if (terminalEnabled &&
-            this.terminalOnlyMiddleware &&
-            this.shouldApplySecurityModule(req, undefined, true)) {
-            this.logger.debug("security", "Adding terminal-only middleware (FIRST)");
-            middlewareStack.push(this.terminalOnlyMiddleware);
-        }
-        // 2. Browser-only and/or mobile-only protection
-        else if ((browserEnabled || mobileEnabled) &&
-            this.shouldApplySecurityModule(req, undefined, true)) {
-            // Create combined middleware for browser and mobile access control
-            const combinedDeviceMiddleware = this.createCombinedDeviceMiddleware(browserEnabled, mobileEnabled);
-            if (combinedDeviceMiddleware) {
-                this.logger.debug("security", `Adding combined device middleware (browser: ${browserEnabled}, mobile: ${mobileEnabled})`);
-                middlewareStack.push(combinedDeviceMiddleware);
-            }
-        }
-        // 3. Request signature protection (API authentication)
-        if (this.requestSignature &&
-            this.requestSignatureMiddleware &&
-            this.shouldApplySecurityModule(req, undefined, true)) {
-            this.logger.debug("security", "Adding request signature middleware (FIRST)");
-            middlewareStack.push(this.requestSignatureMiddleware);
-        }
-        // 4. Compression (should be early but after access control)
-        if (this.compression && this.compressionMiddleware) {
-            this.logger.debug("security", "Adding compression middleware");
-            middlewareStack.push(this.compressionMiddleware);
-        }
-        // 5. Security headers (Helmet)
-        if (this.helmet && this.helmetMiddleware) {
-            this.logger.debug("security", "Adding helmet middleware");
-            middlewareStack.push(this.helmetMiddleware);
-        }
-        // 6. CORS
-        if (this.cors !== false && this.corsMiddleware) {
-            this.logger.debug("security", "Adding CORS middleware");
-            middlewareStack.push(this.corsMiddleware);
-        }
-        // 8. General rate limiting (less strict)
-        if (this.rateLimit && this.rateLimitMiddleware) {
-            this.logger.debug("security", "Adding general rate limiting middleware");
-            middlewareStack.push(this.rateLimitMiddleware);
-        }
-        // 9. HTTP Parameter Pollution protection
-        if (this.hpp && this.hppMiddleware) {
-            this.logger.debug("security", "Adding HPP middleware");
-            middlewareStack.push(this.hppMiddleware);
-        }
-        // 13. XSS protection (custom implementation)
-        if (this.xss) {
-            this.logger.debug("security", "Adding XSS protection middleware");
-            middlewareStack.push(this.xssProtection.bind(this));
-        }
-        // 14. CSRF protection (should be after body parsing)
-        if (this.csrf && this.csrfMiddleware) {
-            this.logger.debug("security", "Adding CSRF middleware");
-            middlewareStack.push(this.csrfMiddleware);
-        }
-        this.logger.debug("security", `Total middleware in stack: ${middlewareStack.length}`);
-        // Execute middleware stack
-        this.executeMiddlewareStack(middlewareStack, req, res, next);
-    }
-    /**
-     * Execute middleware stack sequentially with proper async handling
-     */
-    executeMiddlewareStack(stack, req, res, finalNext) {
-        let index = 0;
-        let nextCalled = false;
-        this.logger.debug("security", `Executing middleware stack with ${stack.length} middleware`);
-        const next = (error) => {
-            if (nextCalled) {
-                this.logger.debug("security", "next() already called, ignoring duplicate call");
-                return;
-            }
-            if (error) {
-                nextCalled = true;
-                this.logger.debug("security", `Error in middleware at index ${index - 1}:`, error);
-                return finalNext(error);
-            }
-            if (index >= stack.length) {
-                nextCalled = true;
-                this.logger.debug("security", "All middleware completed, calling final next");
-                return finalNext();
-            }
-            const currentIndex = index;
-            this.logger.debug("security", `Executing middleware ${currentIndex + 1}/${stack.length}`);
-            const middleware = stack[index++];
-            try {
-                // Set a timeout to detect if middleware doesn't call next()
-                let timeoutId = null;
-                let middlewareCompleted = false;
-                const middlewareNext = (err) => {
-                    if (middlewareCompleted)
-                        return;
-                    middlewareCompleted = true;
-                    if (timeoutId) {
-                        clearTimeout(timeoutId);
-                    }
-                    this.logger.debug("security", `Middleware ${currentIndex + 1} completed`);
-                    next(err);
-                };
-                // Set timeout to detect hanging middleware
-                timeoutId = setTimeout(() => {
-                    if (!middlewareCompleted) {
-                        // If headers were already sent, it means the middleware blocked the request
-                        // and sent a response, so we should NOT continue the chain.
-                        if (res.headersSent) {
-                            this.logger.debug("security", `Middleware ${currentIndex + 1} blocked the request (headers sent), stopping chain`);
-                            middlewareCompleted = true;
-                            return;
-                        }
-                        this.logger.debug("security", `Middleware ${currentIndex + 1} timed out, continuing anyway`);
-                        middlewareCompleted = true;
-                        next();
-                    }
-                }, 100); // 100ms timeout
-                // Execute the middleware
-                middleware(req, res, middlewareNext);
-            }
-            catch (error) {
-                this.logger.debug("security", `Exception in middleware at index ${currentIndex}:`, error);
-                finalNext(error);
-            }
-        };
-        // Start the middleware chain
-        this.logger.debug("security", "Starting middleware chain");
-        next();
-    }
-    /**
-     * Custom XSS protection middleware
-     */
-    xssProtection(req, res, next) {
-        this.logger.debug("security", `Running XSS protection on ${req.path}`);
-        let maliciousContentDetected = false;
-        const detectedThreats = [];
-        // Check and sanitize request body
-        if (req.body && typeof req.body === "object") {
-            const { sanitized, threats } = this.sanitizeObjectWithDetection(req.body, "", req);
-            if (threats.length > 0) {
-                maliciousContentDetected = true;
-                threats.forEach((t) => {
-                    detectedThreats.push(...t.types.map((type) => `body.${t.path}:${type}`));
-                });
-            }
-            try {
-                req.body = sanitized;
-            }
-            catch (error) {
-                // Handle readonly property - create new object
-                Object.defineProperty(req, "body", {
-                    value: sanitized,
-                    writable: true,
-                    configurable: true,
-                });
-            }
-        }
-        // Check and sanitize query parameters
-        if (req.query && typeof req.query === "object") {
-            const { sanitized, threats } = this.sanitizeObjectWithDetection(req.query, "", req);
-            if (threats.length > 0) {
-                maliciousContentDetected = true;
-                threats.forEach((t) => {
-                    detectedThreats.push(...t.types.map((type) => `query.${t.path}:${type}`));
-                });
-            }
-            try {
-                req.query = sanitized;
-            }
-            catch (error) {
-                // Handle readonly property - create new object
-                Object.defineProperty(req, "query", {
-                    value: sanitized,
-                    writable: true,
-                    configurable: true,
-                });
-            }
-        }
-        // Check and sanitize URL parameters
-        if (req.params && typeof req.params === "object") {
-            const { sanitized, threats } = this.sanitizeObjectWithDetection(req.params, "", req);
-            if (threats.length > 0) {
-                maliciousContentDetected = true;
-                threats.forEach((t) => {
-                    detectedThreats.push(...t.types.map((type) => `params.${t.path}:${type}`));
-                });
-            }
-            try {
-                req.params = sanitized;
-            }
-            catch (error) {
-                // Handle readonly property - create new object
-                Object.defineProperty(req, "params", {
-                    value: sanitized,
-                    writable: true,
-                    configurable: true,
-                });
-            }
-        }
-        // Block request if malicious content was detected
-        if (maliciousContentDetected) {
-            this.logger.warn("security", `Security threat blocked from ${req.ip}. Threats detected: ${detectedThreats.join(", ")}`);
-            // Determine primary attack type
-            let primaryType = "Security Attack";
-            if (detectedThreats.some((t) => t.includes("SQL Injection")))
-                primaryType = "SQL Injection";
-            else if (detectedThreats.some((t) => t.includes("XSS")))
-                primaryType = "XSS";
-            else if (detectedThreats.some((t) => t.includes("Path Traversal")))
-                primaryType = "Path Traversal";
-            else if (detectedThreats.some((t) => t.includes("Command Injection")))
-                primaryType = "Command Injection";
-            else if (detectedThreats.some((t) => t.includes("XXE")))
-                primaryType = "XXE Attack";
-            else if (detectedThreats.some((t) => t.includes("LDAP")))
-                primaryType = "LDAP Injection";
-            // Trigger security attack hook
-            this.reportAttack(req, res, {
-                type: primaryType,
-                threats: detectedThreats,
-                ip: req.ip,
-                path: req.path,
-            });
-            res.status(400).json({
-                error: "Malicious content detected",
-                message: `Request blocked due to potential ${primaryType} attack`,
-                threats: detectedThreats,
-                timestamp: new Date().toISOString(),
-            });
-            return; // Don't call next() - block the request
-        }
-        next();
-    }
-    /**
-     * Recursively sanitize object properties
-     */
-    sanitizeObject(obj) {
-        if (typeof obj === "string") {
-            return xss(obj);
-        }
-        if (Array.isArray(obj)) {
-            return obj.map((item) => this.sanitizeObject(item));
-        }
-        if (obj && typeof obj === "object") {
-            const sanitized = {};
-            for (const [key, value] of Object.entries(obj)) {
-                sanitized[key] = this.sanitizeObject(value);
-            }
-            return sanitized;
-        }
-        return obj;
-    }
-    /**
-     * Sanitize object and detect threats
-     */
-    sanitizeObjectWithDetection(obj, path = "", req) {
-        const threats = [];
-        const sanitizeWithDetection = (value, currentPath) => {
-            if (typeof value === "string") {
-                const original = value;
-                let sanitized = original;
-                let threatDetected = false;
-                const detectedPatterns = [];
-                // XSS Detection
-                if (this.xss &&
-                    this.shouldApplySecurityModule(req, this.routeConfig?.xss)) {
-                    const xssSanitized = xss(original);
-                    if (original !== xssSanitized) {
-                        threatDetected = true;
-                        detectedPatterns.push("XSS");
-                        sanitized = xssSanitized;
-                    }
-                }
-                // SQL Injection Detection
-                if (this.sqlInjection &&
-                    this.shouldApplySecurityModule(req, this.routeConfig?.sqlInjection)) {
-                    const sqlResult = this.sqlInjectionDetector.detect(original, currentPath);
-                    if (sqlResult.isMalicious) {
-                        threatDetected = true;
-                        detectedPatterns.push(`SQL Injection (${sqlResult.riskLevel})`);
-                        // Use the SQL detector's sanitized version if available
-                        if (sqlResult.sanitizedInput) {
-                            sanitized = sqlResult.sanitizedInput;
-                        }
-                    }
-                }
-                // Path Traversal Detection
-                if (this.pathTraversal &&
-                    this.shouldApplySecurityModule(req, this.routeConfig?.pathTraversal)) {
-                    const pathResult = this.pathTraversalDetector.detect(original);
-                    if (pathResult.isMalicious) {
-                        threatDetected = true;
-                        detectedPatterns.push(`Path Traversal (${pathResult.riskLevel})`);
-                        if (pathResult.sanitizedInput) {
-                            sanitized = pathResult.sanitizedInput;
-                        }
-                    }
-                }
-                // Command Injection Detection
-                if (this.commandInjection &&
-                    this.shouldApplySecurityModule(req, this.routeConfig?.commandInjection)) {
-                    const cmdResult = this.commandInjectionDetector.detect(original);
-                    if (cmdResult.isMalicious) {
-                        threatDetected = true;
-                        detectedPatterns.push(`Command Injection (${cmdResult.riskLevel})`);
-                        if (cmdResult.sanitizedInput) {
-                            sanitized = cmdResult.sanitizedInput;
-                        }
-                    }
-                }
-                // XXE Detection (for XML content)
-                if (this.xxe &&
-                    this.shouldApplySecurityModule(req, this.routeConfig?.xxe) &&
-                    (original.includes("<?xml") ||
-                        original.includes("<!DOCTYPE"))) {
-                    const xxeResult = this.xxeProtector.detect(original);
-                    if (xxeResult.isMalicious) {
-                        threatDetected = true;
-                        detectedPatterns.push(`XXE Attack (${xxeResult.riskLevel})`);
-                        if (xxeResult.sanitizedInput) {
-                            sanitized = xxeResult.sanitizedInput;
-                        }
-                    }
-                }
-                // LDAP Injection Detection
-                if (this.ldapInjection &&
-                    this.shouldApplySecurityModule(req, this.routeConfig?.ldapInjection)) {
-                    const ldapResult = this.ldapInjectionDetector.detect(original);
-                    if (ldapResult.isMalicious) {
-                        threatDetected = true;
-                        detectedPatterns.push(`LDAP Injection (${ldapResult.riskLevel})`);
-                        if (ldapResult.sanitizedInput) {
-                            sanitized = ldapResult.sanitizedInput;
-                        }
-                    }
-                }
-                // Additional threat detection for patterns XSS library might miss
-                if (this.xss &&
-                    this.shouldApplySecurityModule(req, this.routeConfig?.xss)) {
-                    const additionalThreats = [
-                        /javascript:/i,
-                        /vbscript:/i,
-                        /data:text\/html/i,
-                        /\s+on(load|click|error|mouseover|submit)\s*=/i, // Specific common event handlers
-                        /<iframe/i,
-                        /<object/i,
-                        /<embed/i,
-                        /<link\s+rel=["']?stylesheet["']?/i,
-                        /<meta\s+http-equiv=["']?refresh["']?/i,
-                        /expression\s*\(/i, // CSS expression()
-                        /url\s*\(\s*javascript:/i,
-                    ];
-                    for (const pattern of additionalThreats) {
-                        if (pattern.test(original)) {
-                            threatDetected = true;
-                            detectedPatterns.push("Enhanced XSS");
-                            // Sanitize these additional threats
-                            sanitized = original.replace(pattern, "[BLOCKED]");
-                            break;
-                        }
-                    }
-                }
-                if (threatDetected) {
-                    threats.push({
-                        path: currentPath || "root",
-                        types: detectedPatterns,
-                    });
-                    // Log the specific threats detected
-                    this.logger.warn("security", `Security threat detected in ${currentPath || "root"}: ${detectedPatterns.join(", ")}`);
-                }
-                return sanitized;
-            }
-            if (Array.isArray(value)) {
-                return value.map((item, index) => sanitizeWithDetection(item, `${currentPath}[${index}]`));
-            }
-            if (value && typeof value === "object") {
-                const sanitized = {};
-                for (const [key, val] of Object.entries(value)) {
-                    const newPath = currentPath ? `${currentPath}.${key}` : key;
-                    sanitized[key] = sanitizeWithDetection(val, newPath);
-                }
-                return sanitized;
-            }
-            return value;
-        };
-        const sanitized = sanitizeWithDetection(obj, path);
-        return { sanitized, threats };
-    }
-    /**
-     * Get CSRF token for client-side usage
-     */
-    generateCsrfToken(req) {
-        if (this.csrf && req.csrfToken) {
-            return req.csrfToken();
-        }
-        return null;
-    }
-    /**
-     * Check if browser-only protection is enabled
-     */
-    isBrowserOnlyEnabled() {
-        if (this.browserOnly === true)
-            return true;
-        if (typeof this.browserOnly === "object" && this.browserOnly !== null) {
-            return this.browserOnly.enable !== false; // Default to true when config provided
-        }
-        return false;
-    }
-    /**
-     * Check if terminal-only protection is enabled
-     */
-    isTerminalOnlyEnabled() {
-        if (this.terminalOnly === true)
-            return true;
-        if (typeof this.terminalOnly === "object" &&
-            this.terminalOnly !== null) {
-            return this.terminalOnly.enable !== false; // Default to true when config provided
-        }
-        return false;
-    }
-    /**
-     * Check if mobile-only protection is enabled
-     */
-    isMobileOnlyEnabled() {
-        if (this.mobileOnly === true)
-            return true;
-        if (typeof this.mobileOnly === "object" && this.mobileOnly !== null) {
-            return this.mobileOnly.enable !== false; // Check enable property, default to true when config provided
-        }
-        return false;
-    }
-    /**
-     * Validate device access configuration
-     */
-    validateDeviceAccessConfig() {
-        // Check enabled device access controls
-        const browserEnabled = this.isBrowserOnlyEnabled();
-        const terminalEnabled = this.isTerminalOnlyEnabled();
-        const mobileEnabled = this.isMobileOnlyEnabled();
-        // Terminal-only cannot be combined with browser-only or mobile-only
-        if (terminalEnabled && (browserEnabled || mobileEnabled)) {
-            throw new Error("Security configuration error: terminalOnly cannot be enabled simultaneously with browserOnly or mobileOnly. " +
-                "Choose terminalOnly alone, or browserOnly and/or mobileOnly.");
-        }
-        // Browser-only and mobile-only can be enabled together (they will be applied based on request characteristics)
-        // No other restrictions needed
-    }
-    /**
-     * Create combined middleware for browser and mobile access control
-     */
-    createCombinedDeviceMiddleware(browserEnabled, mobileEnabled) {
-        // If neither is enabled, return null
-        if (!browserEnabled && !mobileEnabled) {
-            return null;
-        }
-        // If only one is enabled, return that middleware directly
-        if (browserEnabled && !mobileEnabled && this.browserOnlyMiddleware) {
-            return this.browserOnlyMiddleware;
-        }
-        if (mobileEnabled && !browserEnabled && this.mobileOnlyMiddleware) {
-            return this.mobileOnlyMiddleware;
-        }
-        // Both are enabled - create combined logic
-        if (!this.browserOnlyMiddleware || !this.mobileOnlyMiddleware) {
-            return null; // Should not happen if validation passed
-        }
-        return (req, res, next) => {
-            // First check if it's a mobile request
-            const isMobileRequest = this.isMobileRequest(req);
-            if (isMobileRequest) {
-                // Apply mobile-only rules
-                this.logger.debug("security", "Applying mobile-only rules for mobile request");
-                return this.mobileOnlyMiddleware(req, res, next);
-            }
-            else {
-                // Apply browser-only rules
-                this.logger.debug("security", "Applying browser-only rules for non-mobile request");
-                return this.browserOnlyMiddleware(req, res, next);
-            }
-        };
-    }
-    /**
-     * Check if request is from a mobile device (using MobileOnlyProtector logic)
-     */
-    isMobileRequest(req) {
-        if (!this.mobileOnlyProtector) {
-            // If no mobile protector, assume not mobile
-            return false;
-        }
-        return this.mobileOnlyProtector.isMobileRequest(req);
-    }
-    /**
-     * Get security configuration
-     */
-    getConfig() {
-        return {
-            level: this.level,
-            csrf: this.csrf,
-            helmet: this.helmet,
-            browserOnly: this.browserOnly,
-            terminalOnly: this.terminalOnly,
-            mobileOnly: this.mobileOnly,
-            deviceAccess: this.deviceAccess,
-            requestSignature: this.requestSignature,
-            xss: this.xss,
-            sqlInjection: this.sqlInjection,
-            pathTraversal: this.pathTraversal,
-            commandInjection: this.commandInjection,
-            xxe: this.xxe,
-            ldapInjection: this.ldapInjection,
-            bruteForce: this.bruteForce,
-            rateLimit: this.rateLimit,
-            cors: this.cors,
-            compression: this.compression,
-            hpp: this.hpp,
-            mongoSanitize: this.mongoSanitize,
-            slowDown: this.slowDown,
-            encryption: this.encryption,
-            authentication: this.authentication,
-            routeConfig: this.routeConfig,
-            _ignore: this._ignore,
-            _ignoreAll: this._ignoreAll,
-        };
-    }
-    /**
-     * Check if a route matches a pattern
-     */
-    matchesRoute(requestPath, requestMethod, pattern) {
-        // Handle RoutePattern object
-        if (typeof pattern === "object" && "path" in pattern) {
-            const routePattern = pattern;
-            // Check method if specified
-            if (routePattern.methods && routePattern.methods.length > 0) {
-                if (!routePattern.methods.includes(requestMethod.toUpperCase())) {
-                    return false;
-                }
-            }
-            return this.matchesRoute(requestPath, requestMethod, routePattern.path);
-        }
-        // Handle RegExp
-        if (pattern instanceof RegExp) {
-            return pattern.test(requestPath);
-        }
-        // Handle string patterns with wildcards
-        const patternStr = pattern;
-        // Normalize paths by removing trailing slashes for comparison
-        const normalizedRequestPath = requestPath.replace(/\/$/, "");
-        const normalizedPattern = patternStr.replace(/\/$/, "");
-        // Exact match (after normalization)
-        if (normalizedPattern === normalizedRequestPath) {
-            return true;
-        }
-        // Wildcard matching (e.g., /api/* matches /api/anything)
-        if (patternStr.includes("*")) {
-            // Handle trailing /* specially to match with or without trailing slash
-            if (patternStr.endsWith("/*")) {
-                const prefix = patternStr.slice(0, -2); // Remove /*
-                // Match if requestPath starts with prefix, optionally followed by /
-                const regex = new RegExp(`^${prefix.replace(/[.+?^${}()|[\]\\]/g, "\\$&")}(?:/.*)?$`);
-                return regex.test(requestPath);
-            }
-            else {
-                const regexPattern = patternStr
-                    .replace(/[.+?^${}()|[\]\\]/g, "\\$&") // Escape special regex chars except *
-                    .replace(/\*/g, ".*"); // Convert * to .*
-                const regex = new RegExp(`^${regexPattern}$`);
-                return regex.test(requestPath);
-            }
-        }
-        // Path prefix matching (for patterns without wildcards)
-        if (normalizedRequestPath.startsWith(normalizedPattern)) {
-            return true;
-        }
-        return false;
-    }
-    /**
-     * Evaluates if a security module should be applied to the current request.
-     *
-     * @param req The incoming request
-     * @param moduleConfig Optional route-specific configuration for the module
-     * @param absoluteBypassOnly If true, only checks against _ignoreAll (used for access control/signatures)
-     * @returns boolean True if the security module should be applied
-     */
-    shouldApplySecurityModule(req, moduleConfig, absoluteBypassOnly = false) {
-        const requestPath = req.path || req.url || "";
-        const requestMethod = req.method || "GET";
-        // 1. 🚨 Absolute Ignore List Check (_ignoreAll)
-        // High priority bypass for ALL security layers (detectors + access control)
-        if (this._ignoreAll.length > 0) {
-            const isAbsolutelyIgnored = this._ignoreAll.some((pattern) => {
-                if (typeof pattern === "string") {
-                    return this.matchesRoute(requestPath, requestMethod, pattern);
-                }
-                if (pattern instanceof RegExp) {
-                    return pattern.test(requestPath);
-                }
-                return false;
-            });
-            if (isAbsolutelyIgnored) {
-                this.logger.debug("security", `Route ${requestPath} is ABSOLUTELY ignored by security middleware`);
-                return false;
-            }
-        }
-        // 2. 🛡️ Content-Only Ignore List Check (_ignore)
-        // Bypass for content-based detectors only (XSS, SQLi, etc.)
-        if (!absoluteBypassOnly && this._ignore.length > 0) {
-            const isContentIgnored = this._ignore.some((pattern) => {
-                if (typeof pattern === "string") {
-                    return this.matchesRoute(requestPath, requestMethod, pattern);
-                }
-                if (pattern instanceof RegExp) {
-                    return pattern.test(requestPath);
-                }
-                return false;
-            });
-            if (isContentIgnored) {
-                this.logger.debug("security", `Route ${requestPath} bypassed content-based security detectors`);
-                return false;
-            }
-        }
-        if (!moduleConfig) {
-            return true; // Apply by default if no route config
-        }
-        // Check includeRoutes first (whitelist approach)
-        if (moduleConfig.includeRoutes &&
-            moduleConfig.includeRoutes.length > 0) {
-            // Only apply if route is in the include list
-            return moduleConfig.includeRoutes.some((pattern) => this.matchesRoute(requestPath, requestMethod, pattern));
-        }
-        // Check excludeRoutes (blacklist approach)
-        if (moduleConfig.excludeRoutes &&
-            moduleConfig.excludeRoutes.length > 0) {
-            // Don't apply if route is in the exclude list
-            const isExcluded = moduleConfig.excludeRoutes.some((pattern) => this.matchesRoute(requestPath, requestMethod, pattern));
-            return !isExcluded;
-        }
-        return true; // Apply by default
-    }
-    /**
-     * Report a security attack to the plugin manager
-     */
-    reportAttack(req, res, attackData) {
-        const pluginManager = req.app?.pluginManager;
-        this.logger.debug("security", `Reporting attack. PluginManager found: ${!!pluginManager}`);
-        if (pluginManager &&
-            typeof pluginManager.triggerSecurityAttack === "function") {
-            pluginManager.triggerSecurityAttack(attackData, req, res);
-        }
-    }
-}
-//# sourceMappingURL=security-middleware.js.map