Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rouanw/secure-express-routes
Express middleware you can use to lock down all your routes by default
https://github.com/rouanw/secure-express-routes
Last synced: 4 days ago
JSON representation
Express middleware you can use to lock down all your routes by default
- Host: GitHub
- URL: https://github.com/rouanw/secure-express-routes
- Owner: rouanw
- Created: 2019-04-23T11:53:34.000Z (over 5 years ago)
- Default Branch: master
- Last Pushed: 2023-03-02T22:44:28.000Z (over 1 year ago)
- Last Synced: 2024-04-25T17:22:26.842Z (7 months ago)
- Language: JavaScript
- Size: 139 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 5
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
# secure-express-routes
> Express middleware you can use to lock down all your routes by default
## Limitations
Turns out that this approach is probably not suitable for most applications. `secure-express-routes` can’t access `req.params`, because that’s not set until the middleware defined on an actual route is run. Any applications that use `req.params` for permission checks, won't be able to use this library as a viable option. See expressjs/express#2088.
## Disclaimer
This package doesn't actually do anything to secure your routes. It just makes returning a `403` the default for every route in your application. What security you need will be specific to your scenario.
## Use case
`secure-express-routes` is for express applications that expose routes that need to be protected. Without it, your run the risk of accidentally exposing sensitive data or private functionality. For example:
```js
app.get('my-secret-things', checkIsAuthorized, checkPermissions, revealSecrets)
app.get('my-secure-things', checkIsAuthorized, revealSecrets)
```
In the above example, the `my-secure-things` route is not doing any permission checks, because someone forgot to add `checkPermissions` to the chain of middleware - an easy mistake to make!
When using `secure-express-routes`, your application will return a `403` unless you add some code to let the request through, thereby making your routes secure by default.
## Installation
```sh
$ npm install
```
## Usage
```js
const express = require('express');
const secureExpressRoutes = require('secure-express-routes');
const app = express();
app.use(secureExpressRoutes({
'/example-route': (req) => {
return !req.user.looksSuspicious; // whatever authentication and authorization checks you need
},
'/public-route': () => true,
}));
app.get('/example-route', returnSecureThings);
app.get('/public-route', returnPublicThings);
```
## API
`secure-express-routes` is a simple express middleware. It takes two arguments:
### A hash of your application's routes and associated auth functions
With the structure: `{ [routePath]: authFunction }`.
Example:
```js
{
'/example-route': (req, res) => {
return !req.user.looksSuspicious && res.locals.allowedIPAddress; // whatever authentication and authorization checks you need
},
'/public-route': () => true,
}
```
Where `/example-route` and `public-route` both correspond to express routes in your application. The `authFunction` will be passed the express `req` and `res` object for inspection. If the function returns `true`, the middleware chain will be allowed to continue. In all other cases, the middleware chain will terminate and a `403` will be returned.
### A options object
Example:
```js
{ responseCode: 404 }
```
Option|Description|Default
---|---|---
`responseCode`|The HTTP response code to return by default|`403`
## Performance
Because `secure-express-routes` iterates over an array of routes on each request, it may get slow with for applications with lots of routes. A workaround will be to split your routes into different routers and have one `secureExpressRoutes` instance for each router.
## License
MIT