Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
@axa-ch/aletheia
Advanced tools
Table of Contents
^10.16.0
^6.9.0
When that's done, install the project dependencies.
$ npm install # Install project dependencies
After completing the installation step, you're ready to start the project!
$ npm run dev # Start the development server
$ npm run start-local # Start the development server with mocked api and emulates the production behaviour
While developing, you will probably rely mostly on npm run dev
or npm run start-local
; however, there are additional scripts at your disposal:
npm <script> | Description |
---|---|
clean | Delete ./dist |
clean-docs | Delete ./docs |
clean-lib | Delete ./lib |
dev | Serves your app at localhost:3000 |
compile | Builds the application to ./dist |
build | Runs compile and build-lib |
build-lib | Builds the application to ./lib for ES Modules consumption |
test | Builds the application to ./dist |
test-js | Runs unit tests and lints |
coverage | Runs unit tests and collects code coverage |
test-js:watch | Runs test-js in watch mode to re-run tests when changed |
lint | Lints the project for potential errors |
lint:fix | Lints the project and fixes all correctable errors |
lint-css | Lint the project for potential CSS errors |
lint-css:fix | Lint the CSS and fixes all correctable errors |
lint:schemas | Lints the JSON schemas with ajv |
lint:schemashelp | Displays help for the CLI with ajv help |
docs | Build API docs from JSON Schemas with jsonschema2md |
toc | Generate Table of Contents for README.md , CONTRIBUTING.md and ONBOARDING.md |
stat | Profiles build and outputs stat.json |
stat-prod | Profiles build and outputs stat-prod.json |
All environment variables are mainly used for development, to fill out the data attributes.
Name | Description | Default |
---|---|---|
NODE_ENV | Used to optimize the build for production , development or test . | "development" |
PROCESS_INSTANCE_ID | Unique ID for a running process. This has a higher priority than the PROCESS_NAME . | |
PROCESS_NAME | Name of the process which should be started automatically. This has a lower priority than the PROCESS_INSTANCE_ID . | |
END_USER_KEY | User who started the process. If OAUTH_TOKEN is set, END_USER_KEY is ignored. | |
STAGE | The current stage at which aletheia is running, i.e. production , acc , dev or local . | |
API_TEST_KEY | API Key for local testing. | |
X_AXA_APIKEY | API keys should only be used for public unauthorized API’s. An API key is unique per client application and will be used solely for client identification (for details, please consult the official documentation at confluence). | |
OAUTH_TOKEN | OAuth token of type Bearer. | |
FALLBACK_URL | The url to fall back to if the process cannot be started. |
Each process may or may not have custom Name-Value-Pairs (NVP):
Name | Description | NVP-Name |
---|---|---|
APP_ID | ID of the invoking application. | APPL-ID-CLIENT |
PARTNER_NUMBER | Partner number. | PART-NR |
POLICY_NUMBER | Policy number. | POL-NR |
LICENSE_PLATE | License plate. | KSCHILD-KOMPL |
URL_HAIL | URL for hail jump (NVP value). | URL-SC-FORMLR-HAGEL |
URL_DATA_PROTECTION | URL for data protection jump (NVP value). | URL-DATEN-SCHUTZ-ERKLRG |
URL_COLLISION_RENTED | URL for collision rented jump (NVP value). | URL-SC-FORMLR-KOLSN-FZ-GLIEH |
URL_DAMAGE_MARTEN | URL for damage marten jump (NVP value). | URL-SC-FORMLR-MARDER |
URL_GLASS_BOT | URL for glass bot jump (NVP value). | URL-SC-FORMLR-GLSBRU |
URL_EFORM_CAR | URL for eform car jump (NVP value). | URL-SC-FORMLR-MFZ |
URL_CAR_CARELESS_WARRANTY | URL for car careless warranty jump (NVP value). | URL-SC-FORMLR-GRT-EREIG |
Name | Description | Default |
---|---|---|
data-stage | ONLY on axa.ch! Will be mapped to data-aletheia-stage. | |
data-aletheia-stage | The current stage at which aletheia is running, i.e. production , acc , dev or local . | |
data-aletheia-is-from-my-axa | Whether or not myAXA native Android or iOS App is used. | false |
data-aletheia-api-test-key | API Key for local testing. | |
data-aletheia-x-axa-apikey | API keys should only be used for public unauthorized API’s. An API key is unique per client application and will be used solely for client identification (for details, please consult the official documentation at confluence). | |
data-aletheia-oauth-token | OAuth token of type Bearer. | |
data-aletheia-fallback-url | The url to fall back to if the process cannot be started. | |
data-aletheia-api | API URL to BPM. | |
data-aletheia-refresh-url | URL for refreshing the oAuth Access Token. | |
data-aletheia-redirect-url | URL for refreshing the oAuth Access Token by redirect. | |
data-aletheia-sat-cookie-name | Name of the Secure-Access-Token-Cookie. | |
data-aletheia-process-instance-id | Unique ID for a running process (mainly used for development). | |
data-aletheia-process-name | Name of the process which should be started automatically (mainly used for production). | |
data-aletheia-end-user-key | User who started the process. | |
data-aletheia-uls | Whether or not to use the User Login Servlet, which offers authentication by user-id and password (for details, please consult the official documentation at confluence). | false |
data-aletheia-on-process-ended | Function to be called upon process end (search for in the global window object). | "onTestEnded" |
data-aletheia-on-process-error | Function to be called upon process error (search for in the global window object). | "onTestError" |
data-aletheia-on-process-aborted | Function to be called upon process abortion (search for in the global window object). | "onTestAborted" |
Each process may or may not have custom Name-Value-Pairs (NVP):
Name | Description | NVP-Name | Default |
---|---|---|---|
data-aletheia-app-id | ID of the invoking application. | APPL-ID-CLIENT | |
data-language | ONLY on axa.ch! Will be mapped to data-aletheia-locale | SPRA-CDI | "de-CH" |
data-aletheia-locale | Locale of the application - country and language code allowed. | SPRA-CDI | "de-CH" |
data-aletheia-referrer | URL of the invoking application. | URL-SOURCE-APPL | |
data-aletheia-nvp | An array of NVP objects. | ||
data-aletheia-nvp-names-map | A map to rename NVP-names. |
Each process may or may not have custom Name-Value-Pairs (NVP):
Name | Description | Default |
---|---|---|
SPRA-CDI | User's langauge - attention only language codes are allowed | 'de' |
PART-NR | Partner number. | |
POL-NR | Policy number. | |
APPL-ID-CLIENT | ID of the invoking application. | |
KSCHILD-KOMPL | License plate | |
KSCHILD-FARB-CDU | License plate's color | |
URL-SOURCE-APPL | URL of the invoking application. | |
URL-SC-FORMLR-HAGEL | URL for hail jump (NVP value). | |
URL-DATEN-SCHUTZ-ERKLRG | URL for data protection jump (NVP value). | |
URL-SC-FORMLR-KOLSN-FZ-GLIEH | URL for collision rented jump (NVP value). | |
URL-SC-FORMLR-MARDER | URL for damage marten jump (NVP value). | |
URL-SC-FORMLR-GLSBRU | URL for glass bot jump (NVP value). | |
URL-SC-FORMLR-MFZ | URL for eform car jump (NVP value). | |
URL-SC-FORMLR-GRT-EREIG | URL for car careless warranty jump (NVP value). | |
IS-START-FROM-APP | Passthrough attribute to tell process it has been started from myaxa app |
The UI-Renderer reads the current window.location
and looks for following query params:
Name | Description | Default
forceNewProcess
|Force to start a new process, must be set to 1
. | none
FAQs
AXA UI Renderer
We found that @axa-ch/aletheia demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 52 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.