@nymdev/express-nymag-user
Advanced tools
Comparing version 0.0.3 to 0.0.4
19
index.js
@@ -6,5 +6,14 @@ 'use strict'; | ||
cookieParser = require('cookie-parser'), | ||
cookieName = 'user', | ||
defaultBlockDomains = ['nymetro.com']; | ||
cookieName = 'user'; | ||
function getDefaultBlockDomains() { | ||
const blockDomains = process.env.BLOCK_DOMAINS; | ||
if (_.isString(blockDomains) && blockDomains.length) { | ||
return _.map(blockDomains.split(','), _.trim); | ||
} else { | ||
return []; | ||
} | ||
} | ||
/** | ||
@@ -23,7 +32,7 @@ * @param {string} target | ||
* @param {object} options | ||
* @param {[string]} [options.blockDomains=defaultBlockDomains] | ||
* @param {[string]} [options.blockDomains] | ||
* @returns {boolean} | ||
*/ | ||
function isOnBlockList(host, options) { | ||
const blockDomains = _.get(options, 'blockDomains', defaultBlockDomains); | ||
const blockDomains = _.get(options, 'blockDomains', getDefaultBlockDomains()); | ||
@@ -42,3 +51,3 @@ if (!_.isArray(blockDomains)) { | ||
* @param {function} [options.isProtected] | ||
* @param {[string]} [options.blockDomains=defaultBlockDomains] | ||
* @param {[string]} [options.blockDomains] | ||
* @returns {boolean} | ||
@@ -45,0 +54,0 @@ */ |
{ | ||
"name": "@nymdev/express-nymag-user", | ||
"version": "0.0.3", | ||
"version": "0.0.4", | ||
"description": "Handles in-house user identification as middleware for express via a cookie", | ||
@@ -5,0 +5,0 @@ "main": "index.js", |
@@ -7,2 +7,8 @@ Express NYMag User | ||
Domain can be set in the options, or with environment variables like: | ||
```bash | ||
export BLOCK_DOMAIN=your_domain1.biz,your_domain1.biz | ||
``` | ||
NOTE: Use with care. It's the same as user's volunteering their own username, and is not auth. Temporary until OAuth. | ||
@@ -15,7 +21,7 @@ | ||
app = express(), | ||
expressNYMagAuth = require('@nymdev/express-nymag-auth'), | ||
authServer = 'http://auth.nymag.com:5000/login?redirect_to='; | ||
expressNYMagUser = require('@nymdev/express-nymag-user'), | ||
authServer = 'http://some_auth_server/login?redirect_to='; | ||
app.use(expressNYMagAuth({ | ||
blockDomains: ['nymag.com'], | ||
app.use(expressNYMagUser({ | ||
blockDomains: ['your_domain.biz'], | ||
redirectTo: function (originalUrl) { | ||
@@ -22,0 +28,0 @@ return authServer + encodeURIComponent(originalUrl); |
@@ -103,4 +103,52 @@ 'use strict'; | ||
}); | ||
it('returns true when has everything but domain from env', function () { | ||
var req = { | ||
get: _.constant('some host'), | ||
cookies: {} | ||
}, | ||
options = { | ||
isProtected: function () { | ||
return true; | ||
} | ||
}; | ||
process.env.BLOCK_DOMAINS = 'some host'; | ||
expect(fn(req, options)).to.equal(true); | ||
}); | ||
it('returns true when has everything but domain from env with many items', function () { | ||
var req = { | ||
get: _.constant('some host'), | ||
cookies: {} | ||
}, | ||
options = { | ||
isProtected: function () { | ||
return true; | ||
} | ||
}; | ||
process.env.BLOCK_DOMAINS = 'some other host, some host, some other host'; | ||
expect(fn(req, options)).to.equal(true); | ||
}); | ||
it('returns false when has everything but domain from env is not there', function () { | ||
var req = { | ||
get: _.constant('some host'), | ||
cookies: {} | ||
}, | ||
options = { | ||
isProtected: function () { | ||
return true; | ||
} | ||
}; | ||
process.env.BLOCK_DOMAINS = 'some other host, some _other_ host'; | ||
expect(fn(req, options)).to.equal(false); | ||
}); | ||
}); | ||
}); | ||
Environment variable access
Supply chain riskPackage accesses environment variables, which may be a sign of credential stuffing or data theft.
Found 1 instance in 1 package
New author
Supply chain riskA new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Found 1 instance in 1 package
10800
244
39
0
4