The Protevus Platform: Unified Full-Stack Development https://protevus.com

api cross-platform dart express.js framework laravel mvc orm platform protevus server template-engine

Find a file

Tobe O c7434c220c Remove idea		2019-08-14 14:49:14 -04:00
example	Remove idea	2019-08-14 14:49:14 -04:00
lib	Remove idea	2019-08-14 14:49:14 -04:00
.gitignore	Upgrades for 2.0, fix static errors	2019-04-20 10:53:52 -04:00
.travis.yml	0.0.0-alpha	2017-01-12 18:57:13 -05:00
analysis_options.yaml	current user tests	2019-04-20 12:37:50 -04:00
CHANGELOG.md	Upgrades for 2.0, fix static errors	2019-04-20 10:53:52 -04:00
LICENSE	Initial commit	2017-01-10 08:24:29 -05:00
pubspec.yaml	Remove console	2019-08-14 14:43:24 -04:00
README.md	Ad badge in readme	2019-04-20 10:55:47 -04:00
security.iml	Remove Extensible	2017-12-22 08:34:31 -05:00

README.md

security

Angel middleware designed to enhance application security by patching common Web security holes.

Generic Middleware
Helmet Port
Service Hooks
Permissions

Sanitizing HTML

app.before.add(sanitizeHtmlInput());

// Or:
app.chain(sanitizeHtmlInput()).get(...)

CSRF Tokens

app.chain(verifyCsrfToken()).post('/form', ...);
app.responseFinalizers.add(setCsrfToken());

Banning by IP

app.before.add(banIp('1.2.3.4'));

// Or a range:
app.before.add(banIp('1.2.3.*'));
app.before.add(banIp('1.2.*.4'));

// Or multiple filters:
app.before.add(banIp(['1.2.3.4', '192.*.*.*', RegExp(r'1\.2.\3.\4')]));

// Also can ban origins
app.before.add(banOrigin('*.known-attacker.com'));

// By default, `banOrigin` forces users to have an `Origin` header.
// Use this flag to disable it:
app.before.add(banOrigin('evil.site', allowEmptyOrigin: true));

Trusted Proxy

Works well with Apache or Nginx.

// ONLY trust localhost X-Forwarded-* headers
app.before.add(trustProxy('127.0.0.1'));

Throttling Requests

Throws a 429 error if the given rate limit is exceeded.

// Example: 5 requests per minute
app.before.add(throttleRequests(5, Duration(minutes: 1)));

Helmet

Supplementary security library

Service Hooks

Also included are a set of service hooks, some ported from FeathersJS. Others are created just for Angel.

import 'package:angel_security/hooks.dart' as hooks;

Included:

addUserToParams
associateCurrentUser,
hashPassword
queryWithCurrentUser
restrictToAuthenticated
restrictToOwner
variantPermission

Also exported is the helper function isServerSide. Use this to determine whether a service method is being called by the server, or by a client.

Permissions

Permissions are a great way to restrict access to resources.

They take the form of:

service:foo
service:create:*
some:arbitrary:permission:*:with:*:a:wild:*card

The specifics are up to you.

var permission = Permission('admin | users:find');

// Or:
// PermissionBuilders support + and | operators. Operands can be Strings, Permissions or PermissionBuilders.
var permission = (PermissionBuilder('admin') | (PermissionBuilder('users') + 'find')).toPermission();

// Transform into middleware
app.chain(permission.toMiddleware()).get('/protected', ...);

// Or as a service hook
app.service('protected').beforeModify(permission.toHook());

// Dynamically create a permission hook.
// This helps in situations where the resources you need to protect are dynamic.
//
// `variantPermission` is included in the `package:angel_security/hooks.dart` library.
app.service('posts').beforeModify(variantPermission((e) {
    return PermissionBuilder('posts:modify:${e.id}');
}));