{"id":19745168,"url":"https://github.com/castle/castle-node","last_synced_at":"2025-10-06T17:17:22.033Z","repository":{"id":41345171,"uuid":"49796497","full_name":"castle/castle-node","owner":"castle","description":"Node bindings for Castle","archived":false,"fork":false,"pushed_at":"2025-08-18T06:49:06.000Z","size":879,"stargazers_count":11,"open_issues_count":2,"forks_count":6,"subscribers_count":15,"default_branch":"master","last_synced_at":"2025-09-03T03:42:10.078Z","etag":null,"topics":["castle","fraud-detection","fraud-prevention","node-js","nodejs","sdk"],"latest_commit_sha":null,"homepage":"https://castle.io","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/castle.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2016-01-17T00:15:24.000Z","updated_at":"2025-08-25T16:33:05.000Z","dependencies_parsed_at":"2025-04-30T07:37:16.918Z","dependency_job_id":"b2bf567d-1cac-45d5-a348-dd9f07b1122b","html_url":"https://github.com/castle/castle-node","commit_stats":{"total_commits":113,"total_committers":9,"mean_commits":"12.555555555555555","dds":0.6460176991150443,"last_synced_commit":"0cd9d4813a446333443fbc44f9f9908cd622b329"},"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/castle/castle-node","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/castle%2Fcastle-node","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/castle%2Fcastle-node/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/castle%2Fcastle-node/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/castle%2Fcastle-node/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/castle","download_url":"https://codeload.github.com/castle/castle-node/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/castle%2Fcastle-node/sbom","scorecard":{"id":267560,"data":{"date":"2025-08-11","repo":{"name":"github.com/castle/castle-node","commit":"80f59bc757c8e263ccc8eb7d0a3ecc3260ebe032"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.9,"checks":[{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Maintained","score":10,"reason":"18 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":6,"reason":"4 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-968p-4wvh-cqc8","Warn: Project is vulnerable to: GHSA-xffm-g5w8-qvg7","Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw","Warn: Project is vulnerable to: GHSA-fjxv-7rqg-78g4"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-17T12:29:36.607Z","repository_id":41345171,"created_at":"2025-08-17T12:29:36.607Z","updated_at":"2025-08-17T12:29:36.607Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278646829,"owners_count":26021523,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-06T02:00:05.630Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["castle","fraud-detection","fraud-prevention","node-js","nodejs","sdk"],"created_at":"2024-11-12T02:04:32.389Z","updated_at":"2025-10-06T17:17:22.012Z","avatar_url":"https://github.com/castle.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Castle SDK for Node\n\n**[Castle](https://castle.io) analyzes user behavior in web and mobile apps to stop fraud before it happens.**\n\n## Usage\n\nSee the [documentation](https://docs.castle.io) for how to use this SDK with the Castle APIs\n\n## Installation\n\nAdd the `@castleio/sdk` package to your `package.json`.\n\n### yarn\n\n```bash\nyarn add @castleio/sdk\n```\n\n### npm\n\n```bash\nnpm install --save @castleio/sdk\n```\n\n## Configuration\n\n### Framework configuration\n\nLoad and configure the library with your Castle API secret in an initializer or similar.\n\n```js\nimport { Castle } from '@castleio/sdk';\n\nconst castle = new Castle({ apiSecret: 'YOUR SECRET HERE' });\n```\n\nWhen using setup without the modules:\n\n```js\nconst { Castle } = require('@castleio/sdk');\n\nconst castle = new Castle({ apiSecret: 'YOUR SECRET HERE' });\n```\n\n#### Config options\n\n| Config option | Type | Default | Explanation |\n| ----------------- | ------------------ | -------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |\n| apiSecret | `string` | | API key which can be found in the Castle dashboard https://dashboard.castle.io/settings/general |\n| timeout | `number` | 1500 | Time before returning the failover strategy. |\n| allowlisted | `string[]` | [] | by default, the SDK sends all HTTP headers, except for Cookie and Authorization. \u003cbr/\u003e\u003cbr/\u003e If you decide to use a allowlist, the SDK will:\u003cbr/\u003e- always send the User-Agent header\u003cbr/\u003e- send scrubbed values of non-allowlisted headers\u003cbr/\u003e- send proper values of allowlisted headers.\u003cbr/\u003e\u003cbr/\u003eWe highly suggest using denylist instead of allowlist, so that Castle can use as many data points as possible to secure your users. If you want to use the allowlist, this is the minimal amount of headers we recommend: DEFAULT_ALLOWLIST |\n| denylisted | `string[]` | [] | Denylisted headers take precedence over allowlisted elements. We always denylist Cookie and Authentication headers. If you use any other headers that might contain sensitive information, you should denylist them |\n| failoverStrategy | `FailoverStrategy` | `FailoverStrategy.allow` | If the request to our service would for some reason time out, this is where you select the automatic response from `authenticate`. Options are `FailoverStrategy.allow`, `FailoverStrategy.deny`, `FailoverStrategy.challenge`. |\n| logger | `any` | | Logs Castle API requests and responses, has to respond to `info` method. |\n| doNotTrack | `boolean` | False | setting it to true turns off all requests and triggers automatic failover on `authenticate`. Used for development and testing. |\n| ipHeaders | `string[]` | [] | Castle needs the original IP of the client, not the IP of your proxy or load balancer. The SDK will only trust the proxy chain as defined in the configuration.We try to fetch the client IP based on X-Forwarded-For or Remote-Addr headers in that order, but sometimes the client IP may be stored in a different header or order. The SDK can be configured to look for the client IP address in headers that you specify.\u003cbr/\u003eSometimes, Cloud providers do not use consistent IP addresses to proxy requests. In this case, the client IP is usually preserved in a custom header. \u003cbr/\u003eExample: Cloudflare preserves the client request in the 'Cf-Connecting-Ip' header. |\n| trustedProxies | `string[]` | [] | If the specified header or X-Forwarded-For default contains a proxy chain with public IP addresses, then you must choose only one of the following (but not both): \u003cbr/\u003e1. The trusted_proxies value must match the known proxy IPs. This option is preferable if the IP is static. \u003cbr/\u003e2. The trusted_proxy_depth value must be set to the number of known trusted proxies in the chain (see below).This option is preferable if the IPs are ephemeral, but the depth is consistent. \u003cbr/\u003eAdditionally to make X-Forwarded-For and other headers work better discovering client ip address,and not the address of a reverse proxy server, you can define trusted proxies which will help to fetch proper ip from those headers. \u003cbr/\u003eIn order to extract the client IP of the X-Forwarded-For header and not the address of a reverse proxy server, you must define all trusted public proxies you can achieve this by listing all the proxies ip defined by string or regular expressions in the trusted_proxies setting \u003cbr/\u003e |\n| trustedProxyDepth | `number` | 0 | ...or by providing number of trusted proxies used in the chain, (note that you must pick one approach over the other. either trustProxyChain orr trustedProxies) |\n| trustProxyChain | `boolean` | False | If there is no possibility to define options above and there is no other header that holds the client IP, then you may set this option to True to trust all of the proxy IPs in X-Forwarded-For , _Warning_: this mode is highly promiscuous and could lead to wrongly trusting a spoofed IP if the request passes through a malicious proxy |\n| baseUrl | `string` | `https://api.castle.io/v1` | base Castle API url |\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcastle%2Fcastle-node","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcastle%2Fcastle-node","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcastle%2Fcastle-node/lists"}