Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
@coolaj86/urequest
Advanced tools
A lightweight alternative to (and drop-in replacement for) request.
Written from scratch.
µRequest is designed to be a drop-in replacement for request. It supports HTTPS and follows redirects by default.
npm install --save @coolaj86/urequest
var request = require('@coolaj86/urequest');
request('http://www.google.com', function (error, response, body) {
console.log('error:', error); // Print the error if one occurred
console.log('statusCode:', response && response.statusCode); // Print the response status code if a response was received
console.log('body:', body); // Print the HTML for the Google homepage.
});
urequest
supports application/x-www-form-urlencoded
and multipart/form-data
form uploads.
URL-encoded forms are simple.
request.post('http://service.com/upload', {form:{key:'value'}})
// or
request.post({url:'http://service.com/upload', form: {key:'value'}}, function(err,httpResponse,body){ /* ... */ })
For multipart/form-data
we use the form-data library by @felixge. For the most cases, you can pass your upload form data via the formData
option.
To use form-data
, you must install it separately:
npm install --save form-data@2
var formData = {
// Pass a simple key-value pair
my_field: 'my_value',
// Pass data via Buffers
my_buffer: Buffer.from([1, 2, 3]),
// Pass data via Streams
my_file: fs.createReadStream(__dirname + '/unicycle.jpg'),
// Pass multiple values /w an Array
attachments: [
fs.createReadStream(__dirname + '/attachment1.jpg'),
fs.createReadStream(__dirname + '/attachment2.jpg')
],
// Pass optional meta-data with an 'options' object with style: {value: DATA, options: OPTIONS}
// Use case: for some types of streams, you'll need to provide "file"-related information manually.
// See the `form-data` README for more information about options: https://github.com/form-data/form-data
custom_file: {
value: fs.createReadStream('/dev/urandom'),
options: {
filename: 'topsecret.jpg',
contentType: 'image/jpeg'
}
}
};
request.post({url:'http://service.com/upload', formData: formData}, function optionalCallback(err, httpResponse, body) {
if (err) {
return console.error('upload failed:', err);
}
console.log('Upload successful! Server responded with:', body);
});
See the form-data README for more information & examples.
request.get('http://some.server.com/', {
'auth': {
'user': 'username',
'pass': 'password',
'sendImmediately': false
}
});
// or
request.get('http://some.server.com/', {
'auth': {
'bearer': 'bearerToken'
}
});
If passed as an option, auth
should be a hash containing values:
user
|| username
pass
|| password
bearer
(optional)Note that you can also specify basic authentication using the URL itself, as
detailed in RFC 1738. Simply pass the
user:password
before the host with an @
sign:
var username = 'username',
password = 'password',
url = 'http://' + username + ':' + password + '@some.server.com';
request({url: url}, function (error, response, body) {
// Do more stuff with 'body' here
});
Bearer authentication is supported, and is activated when the bearer
value is
available. The value may be either a String
or a Function
returning a
String
. Using a function to supply the bearer token is particularly useful if
used in conjunction with defaults
to allow a single function to supply the
last known token at the time of sending a request, or to compute one on the fly.
HTTP Headers, such as User-Agent
, can be set in the options
object.
In the example below, we call the github API to find out the number
of stars and forks for the request repository. This requires a
custom User-Agent
header as well as https.
var request = require('request');
var options = {
url: 'https://api.github.com/repos/request/request',
headers: {
'User-Agent': 'request'
}
};
function callback(error, response, body) {
if (!error && response.statusCode == 200) {
var info = JSON.parse(body);
console.log(info.stargazers_count + " Stars");
console.log(info.forks_count + " Forks");
}
}
request(options, callback);
urequest
supports making requests to UNIX Domain Sockets. To make one, use the following URL scheme:
/* Pattern */ 'http://unix:SOCKET:PATH'
/* Example */ request.get('http://unix:/absolute/path/to/unix.socket:/request/path')
Note: The SOCKET
path is assumed to be absolute to the root of the host file system.
The first argument can be either a url
or an options
object. The only required option is uri
; all others are optional.
uri
|| url
- fully qualified uri or a parsed url object from url.parse()
method
- http method (default: "GET"
)headers
- http headers (default: {}
)body
- entity body for PATCH, POST and PUT requests. Must be a Buffer
, String
or ReadStream
. If json
is true
, then body
must be a JSON-serializable object.json
- sets body
to JSON representation of value and adds Content-type: application/json
header. Additionally, parses the response body as JSON.followRedirect
- follow HTTP 3xx responses as redirects (default: true
). This property can also be implemented as function which gets response
object as a single argument and should return true
if redirects should continue or false
otherwise.followAllRedirects
- follow non-GET HTTP 3xx responses as redirects (default: false
)followOriginalHttpMethod
- by default we redirect to HTTP method GET. you can enable this property to redirect to the original HTTP method (default: false
)maxRedirects
- the maximum number of redirects to follow (default: 10
)removeRefererHeader
- removes the referer header when a redirect happens (default: false
). Note: if true, referer header set in the initial request is preserved during redirect chain.encoding
- encoding to be used on setEncoding
of response data. If null
, the body
is returned as a Buffer
. Anything else (including the default value of undefined
) will be passed as the encoding parameter to toString()
(meaning this is effectively utf8
by default). (Note: if you expect binary data, you should set encoding: null
.)There are also shorthand methods for different HTTP METHODs and some other conveniences.
This method returns a wrapper around the normal request API that defaults to whatever options you pass to it.
Note: request.defaults()
does not modify the global request API;
instead, it returns a wrapper that has your default settings applied to it.
Note: You can call .defaults()
on the wrapper that is returned from
request.defaults
to add/override defaults that were previously defaulted.
For example:
//requests using baseRequest() will set the 'x-token' header
var baseRequest = request.defaults({
headers: {'x-token': 'my-token'}
})
//requests using specialRequest() will include the 'x-token' header set in
//baseRequest and will also include the 'special' header
var specialRequest = baseRequest.defaults({
headers: {special: 'special value'}
})
These HTTP method convenience functions act just like request()
but with a default method already set for you:
method: "GET"
.method: "POST"
.method: "PUT"
.method: "PATCH"
.method: "DELETE"
.method: "HEAD"
.method: "OPTIONS"
.There are at least two ways to debug the operation of request
:
Launch the node process like NODE_DEBUG=urequest node script.js
(lib,request,otherlib
works too).
Set require('@coolaj86/urequest').debug = true
at any time (this does the same thing
as #1).
FAQs
A lightweight drop-in replacement for request
We found that @coolaj86/urequest demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.