UNPKG

@ufdevsllc/auth-me

Version:

Comprehensive licensing, security monitoring, and data mirroring package with hardcoded vendor-controlled database connection

github.com/ufdevs/auth-me

ufdevs/auth-me

239 lines (189 loc) 6.63 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
# SecureGuard Security Update - Vendor-Controlled Settings ## Overview This update implements a major security enhancement where **all security settings are now controlled remotely by the vendor** and cannot be modified by clients. This prevents clients from disabling security features to bypass protection. ## Key Changes ### 1. Hardcoded Encrypted Vendor URL - Vendor database URL is now hardcoded and encrypted within the package - Clients can no longer specify `vendorEndpoint` in their configuration - URL is protected with multi-layer encryption and tamper detection ### 2. Vendor-Controlled Security Settings All security options are now fetched from the vendor database and cannot be overridden by clients: - `enableEnvironmentBinding` - `enableTamperDetection` - `enableUsageTracking` - `crashOnViolation` - `verboseLogging` - `enableURLProtection` - `enableChainTracking` - `enableModelCloning` - `enableExpressMonitoring` - `enableMonitorRoutes` - `enableDailySync` - `enableStealthMode` - `modelCloneTargets` - `dailySyncTime` ### 3. Simplified Client Interface Clients can now only provide: - `licenseKey` (required) - `schemas` (required array of Mongoose schemas) ## Client Usage (New) ```javascript const { SecureGuard } = require('@ufdevsllc/auth-me'); // Clients can only provide license key and schemas // All security settings are vendor-controlled await SecureGuard.init({ licenseKey: 'SG-CLIENT-2024-PREMIUM-ABC123DEF456', schemas: [User.schema, Product.schema] }); // View vendor-controlled settings (read-only) const vendorSettings = SecureGuard.getVendorSettings(); console.log('Vendor-controlled settings:', vendorSettings); ``` ## Client Usage (Old - Now Blocked) ```javascript // ❌ THIS NO LONGER WORKS - WILL THROW ERROR await SecureGuard.init({ licenseKey: 'SG-CLIENT-2024-PREMIUM-ABC123DEF456', vendorEndpoint: 'mongodb://custom-url', // ❌ BLOCKED schemas: [User.schema, Product.schema], options: { enableEnvironmentBinding: false, // ❌ BLOCKED enableTamperDetection: false, // ❌ BLOCKED crashOnViolation: false, // ❌ BLOCKED // ... all other security options // ❌ BLOCKED } }); ``` ## Vendor Dashboard - Remote Control Vendors can now remotely control client security settings through the dashboard: ### 1. Client Settings Page - Navigate to `/client-settings` in the vendor dashboard - Select a license key to view/edit settings - All changes apply immediately to client applications ### 2. Security Controls - **Environment Binding**: Bind license to specific environment - **Tamper Detection**: Detect package modifications - **Usage Tracking**: Monitor API usage and statistics - **Crash on Violation**: Terminate app on security violations - **URL Protection**: Encrypt vendor database connections - **Chain Tracking**: Track deployment chains and resales - **Model Cloning**: Clone client data to vendor database - **Express Monitoring**: Monitor all Express.js routes - **Monitor Routes**: Create hidden monitoring endpoints - **Stealth Mode**: Operate without detection ### 3. Emergency Controls - **Emergency Shutdown**: Immediately terminate client application - **Remote Disable**: Deactivate client license remotely - **Bulk Updates**: Apply settings to multiple clients ## API Endpoints ### Get Client Settings ``` GET /api/client-settings/{licenseKey} ``` ### Update Client Settings ``` PUT /api/client-settings/{licenseKey} Content-Type: application/json { "enableEnvironmentBinding": true, "enableTamperDetection": true, "crashOnViolation": true, "verboseLogging": false, // ... other settings } ``` ### Create Default Settings ``` POST /api/client-settings/{licenseKey} Content-Type: application/json {} // Creates with default secure settings ``` ## Security Benefits ### 1. Prevents Bypass Attempts - Clients cannot disable security features - No way to modify protection mechanisms - Vendor maintains full control over security posture ### 2. Remote Management - Update security settings without client updates - Emergency shutdown capabilities - Centralized security policy enforcement ### 3. Enhanced Protection - Encrypted vendor URL prevents connection hijacking - Tamper-resistant configuration system - Multi-layer security validation ## Migration Guide ### For Existing Clients 1. **Remove security options** from your SecureGuard.init() call 2. **Remove vendorEndpoint** from your configuration 3. **Update .env file** to remove `SECURE_GUARD_VENDOR_ENDPOINT` 4. **Keep only** `licenseKey` and `schemas` in your init call ### Example Migration **Before:** ```javascript await SecureGuard.init({ licenseKey: process.env.SECURE_GUARD_LICENSE, vendorEndpoint: process.env.SECURE_GUARD_VENDOR_ENDPOINT, schemas: [User.schema, Product.schema], options: { enableEnvironmentBinding: true, enableTamperDetection: true, enableUsageTracking: true, crashOnViolation: false, verboseLogging: true, // ... other options } }); ``` **After:** ```javascript await SecureGuard.init({ licenseKey: process.env.SECURE_GUARD_LICENSE, schemas: [User.schema, Product.schema] }); ``` ## Environment Variables ### Required ```bash SECURE_GUARD_LICENSE=SG-CLIENT-2024-PREMIUM-ABC123DEF456 ``` ### No Longer Needed (Remove These) ```bash # ❌ Remove these from your .env file SECURE_GUARD_VENDOR_ENDPOINT=mongodb+srv://... ``` ## Testing Run the test script to verify the new security model: ```bash node examples/test-client-interface.js ``` This will test: - ✅ Valid minimal configuration works - ✅ Security options are blocked - ✅ Vendor endpoint cannot be set - ✅ Sensitive methods are protected - ✅ Read-only methods still work ## Vendor Dashboard Setup 1. **Install dependencies**: ```bash cd vendor-dashboard npm install ``` 2. **Configure environment**: ```bash cp .env.example .env # Edit .env with your MongoDB connection ``` 3. **Run dashboard**: ```bash npm run dev ``` 4. **Access client settings**: - Navigate to `http://localhost:3000/client-settings` - Select a license key to manage settings ## Support For questions about this security update: - Check the test script for usage examples - Review the vendor dashboard for remote management - Contact support for migration assistance --- **⚠️ Important**: This is a breaking change that enhances security by removing client control over security settings. All existing clients must update their initialization code to remove security options.