Security News
tea.xyz Spam Plagues npm and RubyGems Package Registries
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
@build-security/opa-express-middleware
Advanced tools
Readme
build.security provides simple development and management for your organization's authorization policy. opa-express-middleware is a Node.js Express middleware intended for performing authorization requests against build.security PDP(Policy Decision Point)/OPA.
Before you start we recommend completing the onboarding tutorial.
Important note
To simplify the setup process, the following example uses a local build.security PDP instance. If you are already familiar with how to run your PDP, You can also run a pdp on you environment (Dev/Prod, etc).
In that case, don't forget to change the hostname and the port in your code.
const express = require('express');
const bodyParser = require('body-parser');
const extAuthz = require('@build-security/opa-express-middleware');
const port = 3000;
const app = express();
const extAuthzMiddleware = extAuthz.authorize((req) => ({
port: 8181,
hostname: 'http://localhost',
policyPath: '/authz/allow',
}));
app.use(bodyParser.json(), extAuthzMiddleware);
app.listen(port, () => {
console.log(`Now listening on http://localhost:${port}`)
});
hostname
: The hostname of the Policy Decision Point (PDP)port
: The port at which the OPA service is runningpolicyPath
: Full path to the policy (including the rule) that decides whether requests should be authorizedallowOnFailure
: Boolean. "Fail open" mechanism to allow access to the API in case the policy engine is not reachable. Default is false.includeBody
: Boolean. Whether or not to pass the request body to the policy engine. Default is true.includeHeaders
: Boolean. Whether or not to pass the request headers to the policy engine. Default is truetimeout
: Integer. Amount of time to wait before request is abandoned and request is declared as failed. Default is 1000ms.enable
: Boolean. Whether or not to consult with the policy engine for the specific request. Default is trueenrich
: Object. An object to attach to the request that is being sent to the policy engine. Default is an empty object {}The following example will:
app.use
)const express = require('express');
const bodyParser = require('body-parser');
const extAuthz = require('@build-security/opa-express-middleware');
const app = express();
const extAuthzMiddleware = extAuthz.authorize((req) => ({
port: 8181,
hostname: 'http://localhost',
policyPath: '/authz/allow',
enable: req.method === "GET",
enrich: { serviceId: 1 }
}));
app.use(bodyParser.json());
app.get('/region/:region/users/:userId', extAuthz.permissions('user.read'), extAuthzMiddleware, (req, res) => {
res.send('allowed');
});
This is what the input received by the PDP would look like.
{
"input":{
"request":{
"method":"GET",
"query":{
},
"path":"/region/israel/users/buildsec",
"scheme":"http",
"host":"localhost",
"body":{
},
"headers":{
"host":"localhost:3000",
"user-agent":"curl/7.64.1",
"accept":"*/*"
}
},
"source":{
"port":56038,
"ipAddress":"::1"
},
"destination":{
"port":3000,
"ipAddress":"::1"
},
"resources":{
"attributes":{
"region":"1",
"userId":"2"
},
"permissions":[
"user.read"
]
},
"serviceId":1
}
}
If everything works well you should receive the following response:
{
"decision_id":"ef414180-05bd-4817-9634-7d1537d5a657",
"result":true
}
FAQs
Node.js express middleware to authorize API requests using a 3rd party policy engine (OPA). If you're not familiar with OPA, please [learn more](https://www.openpolicyagent.org/).
The npm package @build-security/opa-express-middleware receives a total of 17 weekly downloads. As such, @build-security/opa-express-middleware popularity was classified as not popular.
We found that @build-security/opa-express-middleware demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Tea.xyz, a crypto project aimed at rewarding open source contributions, is once again facing backlash due to an influx of spam packages flooding public package registries.
Security News
As cyber threats become more autonomous, AI-powered defenses are crucial for businesses to stay ahead of attackers who can exploit software vulnerabilities at scale.
Security News
UnitedHealth Group disclosed that the ransomware attack on Change Healthcare compromised protected health information for millions in the U.S., with estimated costs to the company expected to reach $1 billion.