feat(proxies): introduce nftables command executor and utilities, default certificate provider, expanded route/socket helper modules, and security improvements
This commit is contained in:
@@ -148,31 +148,66 @@ export class SharedSecurityManager {
|
||||
|
||||
/**
|
||||
* Validate IP against rate limits and connection limits
|
||||
*
|
||||
*
|
||||
* @param ip - The IP address to validate
|
||||
* @returns Result with allowed status and reason if blocked
|
||||
*/
|
||||
public validateIP(ip: string): IIpValidationResult {
|
||||
// Check connection count limit
|
||||
const connectionResult = checkMaxConnections(
|
||||
ip,
|
||||
this.connectionsByIP,
|
||||
ip,
|
||||
this.connectionsByIP,
|
||||
this.maxConnectionsPerIP
|
||||
);
|
||||
if (!connectionResult.allowed) {
|
||||
return connectionResult;
|
||||
}
|
||||
|
||||
|
||||
// Check connection rate limit
|
||||
const rateResult = checkConnectionRate(
|
||||
ip,
|
||||
this.connectionsByIP,
|
||||
ip,
|
||||
this.connectionsByIP,
|
||||
this.connectionRateLimitPerMinute
|
||||
);
|
||||
if (!rateResult.allowed) {
|
||||
return rateResult;
|
||||
}
|
||||
|
||||
|
||||
return { allowed: true };
|
||||
}
|
||||
|
||||
/**
|
||||
* Atomically validate an IP and track the connection if allowed.
|
||||
* This prevents race conditions where concurrent connections could bypass per-IP limits.
|
||||
*
|
||||
* @param ip - The IP address to validate
|
||||
* @param connectionId - The connection ID to track if validation passes
|
||||
* @returns Object with validation result and reason
|
||||
*/
|
||||
public validateAndTrackIP(ip: string, connectionId: string): IIpValidationResult {
|
||||
// Check connection count limit BEFORE tracking
|
||||
const connectionResult = checkMaxConnections(
|
||||
ip,
|
||||
this.connectionsByIP,
|
||||
this.maxConnectionsPerIP
|
||||
);
|
||||
if (!connectionResult.allowed) {
|
||||
return connectionResult;
|
||||
}
|
||||
|
||||
// Check connection rate limit
|
||||
const rateResult = checkConnectionRate(
|
||||
ip,
|
||||
this.connectionsByIP,
|
||||
this.connectionRateLimitPerMinute
|
||||
);
|
||||
if (!rateResult.allowed) {
|
||||
return rateResult;
|
||||
}
|
||||
|
||||
// Validation passed - immediately track to prevent race conditions
|
||||
this.trackConnectionByIP(ip, connectionId);
|
||||
|
||||
return { allowed: true };
|
||||
}
|
||||
|
||||
@@ -304,7 +339,7 @@ export class SharedSecurityManager {
|
||||
|
||||
/**
|
||||
* Validate HTTP Basic Authentication
|
||||
*
|
||||
*
|
||||
* @param route - The route to check
|
||||
* @param authHeader - The Authorization header
|
||||
* @returns Whether authentication is valid
|
||||
@@ -314,26 +349,76 @@ export class SharedSecurityManager {
|
||||
if (!route.security?.basicAuth?.enabled) {
|
||||
return true;
|
||||
}
|
||||
|
||||
|
||||
// No auth header means auth failed
|
||||
if (!authHeader) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
// Parse auth header
|
||||
const credentials = parseBasicAuthHeader(authHeader);
|
||||
if (!credentials) {
|
||||
return false;
|
||||
}
|
||||
|
||||
|
||||
// Check credentials against configured users
|
||||
const { username, password } = credentials;
|
||||
const users = route.security.basicAuth.users;
|
||||
|
||||
return users.some(user =>
|
||||
|
||||
return users.some(user =>
|
||||
user.username === username && user.password === password
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Verify a JWT token against route configuration
|
||||
*
|
||||
* @param route - The route to verify the token for
|
||||
* @param token - The JWT token to verify
|
||||
* @returns True if the token is valid, false otherwise
|
||||
*/
|
||||
public verifyJwtToken(route: IRouteConfig, token: string): boolean {
|
||||
if (!route.security?.jwtAuth?.enabled) {
|
||||
return true;
|
||||
}
|
||||
|
||||
try {
|
||||
const jwtAuth = route.security.jwtAuth;
|
||||
|
||||
// Verify structure (header.payload.signature)
|
||||
const parts = token.split('.');
|
||||
if (parts.length !== 3) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Decode payload
|
||||
const payload = JSON.parse(Buffer.from(parts[1], 'base64').toString());
|
||||
|
||||
// Check expiration
|
||||
if (payload.exp && payload.exp < Math.floor(Date.now() / 1000)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check issuer
|
||||
if (jwtAuth.issuer && payload.iss !== jwtAuth.issuer) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Check audience
|
||||
if (jwtAuth.audience && payload.aud !== jwtAuth.audience) {
|
||||
return false;
|
||||
}
|
||||
|
||||
// Note: In a real implementation, you'd also verify the signature
|
||||
// using the secret and algorithm specified in jwtAuth.
|
||||
// This requires a proper JWT library for cryptographic verification.
|
||||
|
||||
return true;
|
||||
} catch (err) {
|
||||
this.logger?.error?.(`Error verifying JWT: ${err}`);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Clean up caches to prevent memory leaks
|
||||
|
||||
Reference in New Issue
Block a user