The Protevus Platform: Unified Full-Stack Development
https://protevus.com
.idea | ||
lib/src | ||
.gitignore | ||
.travis.yml | ||
analysis_options.yaml | ||
CHANGELOG.md | ||
LICENSE | ||
pubspec.yaml | ||
README.md | ||
security.iml |
security
Angel middleware designed to enhance application security by patching common Web security holes.
- Generic Middleware
- Helmet Port
- Service Hooks
- Permissions
Sanitizing HTML
app.before.add(sanitizeHtmlInput());
// Or:
app.chain(sanitizeHtmlInput()).get(...)
CSRF Tokens
app.chain(verifyCsrfToken()).post('/form', ...);
app.responseFinalizers.add(setCsrfToken());
Banning by IP
app.before.add(banIp('1.2.3.4'));
// Or a range:
app.before.add(banIp('1.2.3.*'));
app.before.add(banIp('1.2.*.4'));
// Or multiple filters:
app.before.add(banIp(['1.2.3.4', '192.*.*.*', RegExp(r'1\.2.\3.\4')]));
// Also can ban origins
app.before.add(banOrigin('*.known-attacker.com'));
// By default, `banOrigin` forces users to have an `Origin` header.
// Use this flag to disable it:
app.before.add(banOrigin('evil.site', allowEmptyOrigin: true));
Trusted Proxy
Works well with Apache or Nginx.
// ONLY trust localhost X-Forwarded-* headers
app.before.add(trustProxy('127.0.0.1'));
Throttling Requests
Throws a 429
error if the given rate limit is exceeded.
// Example: 5 requests per minute
app.before.add(throttleRequests(5, Duration(minutes: 1)));
Helmet
Supplementary security library
Service Hooks
Also included are a set of service hooks, some ported from FeathersJS. Others are created just for Angel.
import 'package:angel_security/hooks.dart' as hooks;
Included:
addUserToParams
associateCurrentUser
,hashPassword
queryWithCurrentUser
restrictToAuthenticated
restrictToOwner
variantPermission
Also exported is the helper function isServerSide
. Use this to determine
whether a service method is being called by the server, or by a client.
Permissions
Permissions are a great way to restrict access to resources.
They take the form of:
service:foo
service:create:*
some:arbitrary:permission:*:with:*:a:wild:*card
The specifics are up to you.
var permission = Permission('admin | users:find');
// Or:
// PermissionBuilders support + and | operators. Operands can be Strings, Permissions or PermissionBuilders.
var permission = (PermissionBuilder('admin') | (PermissionBuilder('users') + 'find')).toPermission();
// Transform into middleware
app.chain(permission.toMiddleware()).get('/protected', ...);
// Or as a service hook
app.service('protected').beforeModify(permission.toHook());
// Dynamically create a permission hook.
// This helps in situations where the resources you need to protect are dynamic.
//
// `variantPermission` is included in the `package:angel_security/hooks.dart` library.
app.service('posts').beforeModify(variantPermission((e) {
return PermissionBuilder('posts:modify:${e.id}');
}));