From 628c50572e4411e61e148b1cae4a3cc870de40e9 Mon Sep 17 00:00:00 2001 From: Tobe O Date: Wed, 14 Aug 2019 16:08:23 -0400 Subject: [PATCH] Clean readme --- README.md | 117 +----------------------------------------------------- 1 file changed, 1 insertion(+), 116 deletions(-) diff --git a/README.md b/README.md index 0c76c54f..53339b5f 100644 --- a/README.md +++ b/README.md @@ -5,119 +5,4 @@ Angel middleware designed to enhance application security by patching common Web security holes. -* Generic Middleware - * [Sanitizing HTML](#sanitizing-html) - * [CSRF Tokens](#csrf-tokens) - * [Banning by IP/Origin](#banning-by-ip) - * [Trusted Proxy](#trusted-proxy) - * [Throttling Requests](#throttling-requests) -* [Helmet Port](#helmet) -* [Service Hooks](#service-hooks) -* [Permissions](#permissions) - -## Sanitizing HTML - -```dart -app.before.add(sanitizeHtmlInput()); - -// Or: -app.chain(sanitizeHtmlInput()).get(...) -``` - -## CSRF Tokens - -```dart -app.chain(verifyCsrfToken()).post('/form', ...); -app.responseFinalizers.add(setCsrfToken()); -``` - -## Banning by IP - -```dart -app.before.add(banIp('1.2.3.4')); - -// Or a range: -app.before.add(banIp('1.2.3.*')); -app.before.add(banIp('1.2.*.4')); - -// Or multiple filters: -app.before.add(banIp(['1.2.3.4', '192.*.*.*', RegExp(r'1\.2.\3.\4')])); - -// Also can ban origins -app.before.add(banOrigin('*.known-attacker.com')); - -// By default, `banOrigin` forces users to have an `Origin` header. -// Use this flag to disable it: -app.before.add(banOrigin('evil.site', allowEmptyOrigin: true)); -``` - -## Trusted Proxy -Works well with Apache or Nginx. - -```dart -// ONLY trust localhost X-Forwarded-* headers -app.before.add(trustProxy('127.0.0.1')); -``` - -## Throttling Requests -Throws a `429` error if the given rate limit is exceeded. - -```dart -// Example: 5 requests per minute -app.before.add(throttleRequests(5, Duration(minutes: 1))); -``` - -# Helmet -[Supplementary security library](https://github.com/angel-dart/helmet) - -# Service Hooks -Also included are a set of service hooks, some [ported from FeathersJS](https://github.com/feathersjs/feathers-legacy-authentication-hooks). -Others are created just for Angel. - -```dart -import 'package:angel_security/hooks.dart' as hooks; -``` - -Included: -* `addUserToParams` -* `associateCurrentUser`, -* `hashPassword` -* `queryWithCurrentUser` -* `restrictToAuthenticated` -* `restrictToOwner` -* `variantPermission` - -Also exported is the helper function `isServerSide`. Use this to determine -whether a service method is being called by the server, or by a client. - -# Permissions -Permissions are a great way to restrict access to resources. - -They take the form of: -* `service:foo` -* `service:create:*` -* `some:arbitrary:permission:*:with:*:a:wild:*card` - -The specifics are up to you. - -```dart -var permission = Permission('admin | users:find'); - -// Or: -// PermissionBuilders support + and | operators. Operands can be Strings, Permissions or PermissionBuilders. -var permission = (PermissionBuilder('admin') | (PermissionBuilder('users') + 'find')).toPermission(); - -// Transform into middleware -app.chain(permission.toMiddleware()).get('/protected', ...); - -// Or as a service hook -app.service('protected').beforeModify(permission.toHook()); - -// Dynamically create a permission hook. -// This helps in situations where the resources you need to protect are dynamic. -// -// `variantPermission` is included in the `package:angel_security/hooks.dart` library. -app.service('posts').beforeModify(variantPermission((e) { - return PermissionBuilder('posts:modify:${e.id}'); -})); -``` \ No newline at end of file +**This package is currently going through a major overhaul, for version 2.** \ No newline at end of file