npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

secure-express-routes

v1.0.5

Published

Middleware you can use to lock down all your express routes by default

Downloads

8

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

rouanwrouanw

Keywords

expresssecuresecuritylockdefault

Readme

secure-express-routes

Express middleware you can use to lock down all your routes by default

Limitations

Turns out that this approach is probably not suitable for most applications. secure-express-routes can’t access req.params, because that’s not set until the middleware defined on an actual route is run. Any applications that use req.params for permission checks, won't be able to use this library as a viable option. See expressjs/express#2088.

Disclaimer

This package doesn't actually do anything to secure your routes. It just makes returning a 403 the default for every route in your application. What security you need will be specific to your scenario.

Use case

secure-express-routes is for express applications that expose routes that need to be protected. Without it, your run the risk of accidentally exposing sensitive data or private functionality. For example:

app.get('my-secret-things', checkIsAuthorized, checkPermissions, revealSecrets)
app.get('my-secure-things', checkIsAuthorized, revealSecrets)

In the above example, the my-secure-things route is not doing any permission checks, because someone forgot to add checkPermissions to the chain of middleware - an easy mistake to make!

When using secure-express-routes, your application will return a 403 unless you add some code to let the request through, thereby making your routes secure by default.

Installation

$ npm install

Usage

const express = require('express');
const secureExpressRoutes = require('secure-express-routes');

const app = express();
app.use(secureExpressRoutes({
  '/example-route': (req) => {
    return !req.user.looksSuspicious; // whatever authentication and authorization checks you need
  },
  '/public-route': () => true,
}));

app.get('/example-route', returnSecureThings);
app.get('/public-route', returnPublicThings);

API

secure-express-routes is a simple express middleware. It takes two arguments:

A hash of your application's routes and associated auth functions

With the structure: { [routePath]: authFunction }.

Example:

{
  '/example-route': (req, res) => {
    return !req.user.looksSuspicious && res.locals.allowedIPAddress; // whatever authentication and authorization checks you need
  },
  '/public-route': () => true,
}

Where /example-route and public-route both correspond to express routes in your application. The authFunction will be passed the express req and res object for inspection. If the function returns true, the middleware chain will be allowed to continue. In all other cases, the middleware chain will terminate and a 403 will be returned.

A options object

Example:

{ responseCode: 404 }

Option|Description|Default ---|---|--- responseCode|The HTTP response code to return by default|403

Performance

Because secure-express-routes iterates over an array of routes on each request, it may get slow with for applications with lots of routes. A workaround will be to split your routes into different routers and have one secureExpressRoutes instance for each router.

License

MIT