Compare commits
8 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
f7cd514997
|
||
|
|
3a4f6624fc
|
||
|
|
8a146a2e1d
|
||
|
|
1ab6e1a969
|
||
|
|
e27a98ca89
|
||
|
|
7b22fd9a4e
|
||
|
|
0706c47a33
|
||
|
|
378c41ddb2
|
@@ -42,6 +42,7 @@ DOMAIN_NAME=localhost
|
||||
|
||||
ENABLE_CORS=false
|
||||
CORS_DOMAIN_NAME=localhost
|
||||
SENTRY_DSN=
|
||||
|
||||
# Media Limits (in KB)
|
||||
MAX_IMAGE_SIZE_KB=512
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@memegoat/backend",
|
||||
"version": "1.9.7",
|
||||
"version": "1.10.2",
|
||||
"description": "",
|
||||
"author": "",
|
||||
"private": true,
|
||||
|
||||
@@ -103,10 +103,9 @@ export class AuthService {
|
||||
}
|
||||
|
||||
async login(dto: LoginDto, userAgent?: string, ip?: string) {
|
||||
this.logger.log(`Login attempt for email: ${dto.email}`);
|
||||
const { email, password } = dto;
|
||||
|
||||
const emailHash = await this.hashingService.hashEmail(email);
|
||||
const emailHash = await this.hashingService.hashEmail(dto.email);
|
||||
this.logger.log(`Login attempt for email hash: ${emailHash}`);
|
||||
const { password } = dto;
|
||||
const user = await this.usersService.findByEmailHash(emailHash);
|
||||
|
||||
if (!user) {
|
||||
|
||||
90
backend/src/common/filters/http-exception.filter.spec.ts
Normal file
90
backend/src/common/filters/http-exception.filter.spec.ts
Normal file
@@ -0,0 +1,90 @@
|
||||
import { ArgumentsHost, HttpException, HttpStatus } from "@nestjs/common";
|
||||
import { Test, TestingModule } from "@nestjs/testing";
|
||||
import * as Sentry from "@sentry/nestjs";
|
||||
import { AllExceptionsFilter } from "./http-exception.filter";
|
||||
|
||||
jest.mock("@sentry/nestjs", () => ({
|
||||
captureException: jest.fn(),
|
||||
withScope: jest.fn((callback) => {
|
||||
const scope = {
|
||||
setUser: jest.fn(),
|
||||
setTag: jest.fn(),
|
||||
setExtra: jest.fn(),
|
||||
};
|
||||
callback(scope);
|
||||
return scope;
|
||||
}),
|
||||
}));
|
||||
|
||||
describe("AllExceptionsFilter", () => {
|
||||
let filter: AllExceptionsFilter;
|
||||
|
||||
beforeEach(async () => {
|
||||
const module: TestingModule = await Test.createTestingModule({
|
||||
providers: [AllExceptionsFilter],
|
||||
}).compile();
|
||||
|
||||
filter = module.get<AllExceptionsFilter>(AllExceptionsFilter);
|
||||
});
|
||||
|
||||
it("should hash the IP address and send it to Sentry for 500 errors", () => {
|
||||
const mockResponse = {
|
||||
status: jest.fn().mockReturnThis(),
|
||||
json: jest.fn().mockReturnThis(),
|
||||
};
|
||||
const mockRequest = {
|
||||
url: "/test",
|
||||
method: "GET",
|
||||
ip: "127.0.0.1",
|
||||
user: { sub: "user-123" },
|
||||
};
|
||||
const mockArgumentsHost = {
|
||||
switchToHttp: () => ({
|
||||
getResponse: () => mockResponse,
|
||||
getRequest: () => mockRequest,
|
||||
}),
|
||||
} as ArgumentsHost;
|
||||
|
||||
const exception = new Error("Internal Server Error");
|
||||
|
||||
filter.catch(exception, mockArgumentsHost);
|
||||
|
||||
expect(mockResponse.status).toHaveBeenCalledWith(
|
||||
HttpStatus.INTERNAL_SERVER_ERROR,
|
||||
);
|
||||
expect(Sentry.withScope).toHaveBeenCalled();
|
||||
|
||||
// Vérifier que captureException a été appelé (via withScope)
|
||||
expect(Sentry.captureException).toHaveBeenCalledWith(exception);
|
||||
});
|
||||
|
||||
it("should include hashed IP in logs", () => {
|
||||
const loggerSpy = jest.spyOn((filter as any).logger, "warn");
|
||||
const mockResponse = {
|
||||
status: jest.fn().mockReturnThis(),
|
||||
json: jest.fn().mockReturnThis(),
|
||||
};
|
||||
const mockRequest = {
|
||||
url: "/test",
|
||||
method: "GET",
|
||||
ip: "1.2.3.4",
|
||||
};
|
||||
const mockArgumentsHost = {
|
||||
switchToHttp: () => ({
|
||||
getResponse: () => mockResponse,
|
||||
getRequest: () => mockRequest,
|
||||
}),
|
||||
} as ArgumentsHost;
|
||||
|
||||
const exception = new HttpException("Bad Request", HttpStatus.BAD_REQUEST);
|
||||
|
||||
filter.catch(exception, mockArgumentsHost);
|
||||
|
||||
expect(mockResponse.status).toHaveBeenCalledWith(HttpStatus.BAD_REQUEST);
|
||||
|
||||
// L'IP 1.2.3.4 hachée en SHA256 contient un hash de 64 caractères
|
||||
const logCall = loggerSpy.mock.calls[0][0];
|
||||
expect(logCall).toMatch(/[a-f0-9]{64}/);
|
||||
expect(logCall).not.toContain("1.2.3.4");
|
||||
});
|
||||
});
|
||||
@@ -1,3 +1,4 @@
|
||||
import { createHash } from "node:crypto";
|
||||
import {
|
||||
ArgumentsHost,
|
||||
Catch,
|
||||
@@ -39,6 +40,11 @@ export class AllExceptionsFilter implements ExceptionFilter {
|
||||
const userId = request.user?.sub || request.user?.id;
|
||||
const userPart = userId ? `[User: ${userId}] ` : "";
|
||||
|
||||
const ip = request.ip || "unknown";
|
||||
const hashedIp = createHash("sha256")
|
||||
.update(ip as string)
|
||||
.digest("hex");
|
||||
|
||||
const errorResponse = {
|
||||
statusCode: status,
|
||||
timestamp: new Date().toISOString(),
|
||||
@@ -51,14 +57,20 @@ export class AllExceptionsFilter implements ExceptionFilter {
|
||||
};
|
||||
|
||||
if (status === HttpStatus.INTERNAL_SERVER_ERROR) {
|
||||
Sentry.captureException(exception);
|
||||
Sentry.withScope((scope) => {
|
||||
scope.setUser({
|
||||
id: userId,
|
||||
ip_address: hashedIp,
|
||||
});
|
||||
Sentry.captureException(exception);
|
||||
});
|
||||
this.logger.error(
|
||||
`${userPart}${request.method} ${request.url} - Error: ${exception instanceof Error ? exception.message : "Unknown error"}`,
|
||||
`${userPart}${hashedIp} ${request.method} ${request.url} - Error: ${exception instanceof Error ? exception.message : "Unknown error"}`,
|
||||
exception instanceof Error ? exception.stack : "",
|
||||
);
|
||||
} else {
|
||||
this.logger.warn(
|
||||
`${userPart}${request.method} ${request.url} - Status: ${status} - Message: ${JSON.stringify(message)}`,
|
||||
`${userPart}${hashedIp} ${request.method} ${request.url} - Status: ${status} - Message: ${JSON.stringify(message)}`,
|
||||
);
|
||||
}
|
||||
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
import { createHash } from "node:crypto";
|
||||
import { CACHE_MANAGER } from "@nestjs/cache-manager";
|
||||
import { Inject, Injectable, Logger, NestMiddleware } from "@nestjs/common";
|
||||
import type { Cache } from "cache-manager";
|
||||
@@ -48,11 +49,15 @@ export class CrawlerDetectionMiddleware implements NestMiddleware {
|
||||
const { method, url, ip } = req;
|
||||
const userAgent = req.get("user-agent") || "unknown";
|
||||
|
||||
const hashedIp = createHash("sha256")
|
||||
.update(ip as string)
|
||||
.digest("hex");
|
||||
|
||||
// Vérifier si l'IP est bannie
|
||||
try {
|
||||
const isBanned = await this.cacheManager.get(`banned_ip:${ip}`);
|
||||
if (isBanned) {
|
||||
this.logger.warn(`Banned IP attempt: ${ip} -> ${method} ${url}`);
|
||||
this.logger.warn(`Banned IP attempt: ${hashedIp} -> ${method} ${url}`);
|
||||
res.status(403).json({
|
||||
message: "Access denied: Your IP has been temporarily banned.",
|
||||
});
|
||||
@@ -60,7 +65,7 @@ export class CrawlerDetectionMiddleware implements NestMiddleware {
|
||||
}
|
||||
} catch (error) {
|
||||
this.logger.error(
|
||||
`Error checking ban status for IP ${ip}: ${error.message}`,
|
||||
`Error checking ban status for IP ${hashedIp}: ${error.message}`,
|
||||
);
|
||||
// On continue même en cas d'erreur Redis pour ne pas bloquer les utilisateurs légitimes
|
||||
}
|
||||
@@ -76,14 +81,14 @@ export class CrawlerDetectionMiddleware implements NestMiddleware {
|
||||
|
||||
if (isSuspiciousPath || isBotUserAgent) {
|
||||
this.logger.warn(
|
||||
`Potential crawler detected: [${ip}] ${method} ${url} - User-Agent: ${userAgent}`,
|
||||
`Potential crawler detected: [${hashedIp}] ${method} ${url} - User-Agent: ${userAgent}`,
|
||||
);
|
||||
|
||||
// Bannir l'IP pour 24h via Redis
|
||||
try {
|
||||
await this.cacheManager.set(`banned_ip:${ip}`, true, 86400000);
|
||||
} catch (error) {
|
||||
this.logger.error(`Error banning IP ${ip}: ${error.message}`);
|
||||
this.logger.error(`Error banning IP ${hashedIp}: ${error.message}`);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,8 +1,13 @@
|
||||
import { CACHE_MANAGER } from "@nestjs/cache-manager";
|
||||
import { Test, TestingModule } from "@nestjs/testing";
|
||||
import * as Sentry from "@sentry/nestjs";
|
||||
import { DatabaseService } from "./database/database.service";
|
||||
import { HealthController } from "./health.controller";
|
||||
|
||||
jest.mock("@sentry/nestjs", () => ({
|
||||
getClient: jest.fn(),
|
||||
}));
|
||||
|
||||
describe("HealthController", () => {
|
||||
let controller: HealthController;
|
||||
|
||||
@@ -37,10 +42,15 @@ describe("HealthController", () => {
|
||||
it("should return ok if database and redis are connected", async () => {
|
||||
mockDb.execute.mockResolvedValue([]);
|
||||
mockCacheManager.set.mockResolvedValue(undefined);
|
||||
(Sentry.getClient as jest.Mock).mockReturnValue({
|
||||
getOptions: () => ({ dsn: "http://dsn" }),
|
||||
});
|
||||
|
||||
const result = await controller.check();
|
||||
expect(result.status).toBe("ok");
|
||||
expect(result.database).toBe("connected");
|
||||
expect(result.redis).toBe("connected");
|
||||
expect(result.sentry).toBe("active");
|
||||
});
|
||||
|
||||
it("should return error if database is disconnected", async () => {
|
||||
@@ -62,4 +72,19 @@ describe("HealthController", () => {
|
||||
expect(result.redis).toBe("disconnected");
|
||||
expect(result.redisError).toBe("Redis Error");
|
||||
});
|
||||
|
||||
it("should return sentry disabled if client or dsn is missing", async () => {
|
||||
mockDb.execute.mockResolvedValue([]);
|
||||
mockCacheManager.set.mockResolvedValue(undefined);
|
||||
(Sentry.getClient as jest.Mock).mockReturnValue(undefined);
|
||||
|
||||
const result = await controller.check();
|
||||
expect(result.sentry).toBe("disabled");
|
||||
|
||||
(Sentry.getClient as jest.Mock).mockReturnValue({
|
||||
getOptions: () => ({ dsn: undefined }),
|
||||
});
|
||||
const result2 = await controller.check();
|
||||
expect(result2.sentry).toBe("disabled");
|
||||
});
|
||||
});
|
||||
|
||||
@@ -1,5 +1,6 @@
|
||||
import { CACHE_MANAGER } from "@nestjs/cache-manager";
|
||||
import { Controller, Get, Inject } from "@nestjs/common";
|
||||
import * as Sentry from "@sentry/nestjs";
|
||||
import type { Cache } from "cache-manager";
|
||||
import { sql } from "drizzle-orm";
|
||||
import { DatabaseService } from "./database/database.service";
|
||||
@@ -39,6 +40,14 @@ export class HealthController {
|
||||
health.redisError = error.message;
|
||||
}
|
||||
|
||||
// Check Sentry status
|
||||
const sentryClient = Sentry.getClient();
|
||||
if (sentryClient?.getOptions().dsn) {
|
||||
health.sentry = "active";
|
||||
} else {
|
||||
health.sentry = "disabled";
|
||||
}
|
||||
|
||||
return health;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,6 +1,8 @@
|
||||
import { createHash } from "node:crypto";
|
||||
import { Logger, ValidationPipe } from "@nestjs/common";
|
||||
import { ConfigService } from "@nestjs/config";
|
||||
import { NestFactory } from "@nestjs/core";
|
||||
import { NestExpressApplication } from "@nestjs/platform-express";
|
||||
import * as Sentry from "@sentry/nestjs";
|
||||
import { nodeProfilingIntegration } from "@sentry/profiling-node";
|
||||
import helmet from "helmet";
|
||||
@@ -8,19 +10,44 @@ import { AppModule } from "./app.module";
|
||||
import { AllExceptionsFilter } from "./common/filters/http-exception.filter";
|
||||
|
||||
async function bootstrap() {
|
||||
const app = await NestFactory.create(AppModule);
|
||||
const app = await NestFactory.create<NestExpressApplication>(AppModule);
|
||||
const configService = app.get(ConfigService);
|
||||
const logger = new Logger("Bootstrap");
|
||||
|
||||
// Activer trust proxy pour récupérer l'IP réelle derrière un reverse proxy
|
||||
app.set("trust proxy", true);
|
||||
|
||||
const sentryDsn = configService.get<string>("SENTRY_DSN");
|
||||
if (sentryDsn) {
|
||||
Sentry.init({
|
||||
dsn: sentryDsn,
|
||||
integrations: [nodeProfilingIntegration()],
|
||||
tracesSampleRate: 1.0,
|
||||
profilesSampleRate: 1.0,
|
||||
sendDefaultPii: false, // RGPD
|
||||
});
|
||||
try {
|
||||
Sentry.init({
|
||||
dsn: sentryDsn,
|
||||
integrations: [Sentry.nestIntegration(), nodeProfilingIntegration()],
|
||||
tracesSampleRate: 1.0,
|
||||
profilesSampleRate: 1.0,
|
||||
sendDefaultPii: false, // RGPD
|
||||
beforeSend(event) {
|
||||
// Hachage de l'IP utilisateur pour Sentry si elle est présente
|
||||
if (event.user?.ip_address) {
|
||||
event.user.ip_address = createHash("sha256")
|
||||
.update(event.user.ip_address)
|
||||
.digest("hex");
|
||||
}
|
||||
return event;
|
||||
},
|
||||
});
|
||||
|
||||
const client = Sentry.getClient();
|
||||
if (client?.getOptions().dsn) {
|
||||
logger.log("Sentry is initialized and connection is active");
|
||||
} else {
|
||||
logger.warn("Sentry initialized but DSN is missing");
|
||||
}
|
||||
} catch (error) {
|
||||
logger.error(`Failed to initialize Sentry: ${error.message}`);
|
||||
}
|
||||
} else {
|
||||
logger.warn("Sentry is disabled (SENTRY_DSN not configured)");
|
||||
}
|
||||
|
||||
// Sécurité
|
||||
|
||||
@@ -104,6 +104,7 @@ services:
|
||||
ENABLE_CORS: ${ENABLE_CORS:-true}
|
||||
CLAMAV_HOST: memegoat-clamav
|
||||
CLAMAV_PORT: 3310
|
||||
SENTRY_DSN: ${SENTRY_DSN}
|
||||
MAX_IMAGE_SIZE_KB: 1024
|
||||
MAX_GIF_SIZE_KB: 4096
|
||||
|
||||
|
||||
@@ -98,6 +98,7 @@ services:
|
||||
ENABLE_CORS: ${ENABLE_CORS:-true}
|
||||
CLAMAV_HOST: clamav
|
||||
CLAMAV_PORT: 3310
|
||||
SENTRY_DSN: ${SENTRY_DSN}
|
||||
|
||||
clamav:
|
||||
image: clamav/clamav:1.4
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@memegoat/frontend",
|
||||
"version": "1.9.7",
|
||||
"version": "1.10.2",
|
||||
"private": true,
|
||||
"scripts": {
|
||||
"dev": "next dev",
|
||||
|
||||
@@ -1,6 +1,6 @@
|
||||
{
|
||||
"name": "@memegoat/source",
|
||||
"version": "1.9.7",
|
||||
"version": "1.10.2",
|
||||
"description": "",
|
||||
"scripts": {
|
||||
"version:get": "cmake -P version.cmake GET",
|
||||
|
||||
Reference in New Issue
Block a user