NASA Proceeds to Mars

    secure-express-routes

    1.0.5 • Public • Published

    secure-express-routes

    Express middleware you can use to lock down all your routes by default

    Limitations

    Turns out that this approach is probably not suitable for most applications. secure-express-routes can’t access req.params, because that’s not set until the middleware defined on an actual route is run. Any applications that use req.params for permission checks, won't be able to use this library as a viable option. See expressjs/express#2088.

    Disclaimer

    This package doesn't actually do anything to secure your routes. It just makes returning a 403 the default for every route in your application. What security you need will be specific to your scenario.

    Use case

    secure-express-routes is for express applications that expose routes that need to be protected. Without it, your run the risk of accidentally exposing sensitive data or private functionality. For example:

    app.get('my-secret-things', checkIsAuthorized, checkPermissions, revealSecrets)
    app.get('my-secure-things', checkIsAuthorized, revealSecrets)

    In the above example, the my-secure-things route is not doing any permission checks, because someone forgot to add checkPermissions to the chain of middleware - an easy mistake to make!

    When using secure-express-routes, your application will return a 403 unless you add some code to let the request through, thereby making your routes secure by default.

    Installation

    $ npm install 

    Usage

    const express = require('express');
    const secureExpressRoutes = require('secure-express-routes');
     
    const app = express();
    app.use(secureExpressRoutes({
      '/example-route': (req) => {
        return !req.user.looksSuspicious; // whatever authentication and authorization checks you need
      },
      '/public-route': () => true,
    }));
     
    app.get('/example-route', returnSecureThings);
    app.get('/public-route', returnPublicThings);

    API

    secure-express-routes is a simple express middleware. It takes two arguments:

    A hash of your application's routes and associated auth functions

    With the structure: { [routePath]: authFunction }.

    Example:

    {
      '/example-route': (req, res) => {
        return !req.user.looksSuspicious && res.locals.allowedIPAddress; // whatever authentication and authorization checks you need
      },
      '/public-route': () => true,
    }

    Where /example-route and public-route both correspond to express routes in your application. The authFunction will be passed the express req and res object for inspection. If the function returns true, the middleware chain will be allowed to continue. In all other cases, the middleware chain will terminate and a 403 will be returned.

    A options object

    Example:

    { responseCode: 404 }
    Option Description Default
    responseCode The HTTP response code to return by default 403

    Performance

    Because secure-express-routes iterates over an array of routes on each request, it may get slow with for applications with lots of routes. A workaround will be to split your routes into different routers and have one secureExpressRoutes instance for each router.

    License

    MIT

    Install

    npm i secure-express-routes

    DownloadsWeekly Downloads

    0

    Version

    1.0.5

    License

    MIT

    Unpacked Size

    7.55 kB

    Total Files

    4

    Last publish

    Collaborators

    • rouanw