Security News
CVE Volume Surges Past 48,000 in 2025 as WordPress Plugin Ecosystem Drives Growth
CVE disclosures hit a record 48,185 in 2025, driven largely by vulnerabilities in third-party WordPress plugins.
By Sarah Gooding - Jan 09, 2026
database-proxy
Advanced tools
database-proxy
Through a set of access control rules configuration database access to realize the client directly access the database via HTTP.
介绍
`database-proxy` 是一个「超级API」,一个 API 替代服务端 90% 的传统 APIs。
通过一套「访问控制规则」配置数据库访问,让前端开发者“安全直连”数据库,再也不需要和服务端对接口了!
客户端使用 `laf-client-sdk` ,像在服务端操作数据库那样,在客户端直接读写相应的数据即可。
使用
npm install database-proxy
服务端代码示例
const app = require('express')()
const { Proxy, MongoAccessor, Policy } = require('database-proxy')
const { MongoClient } = require('mongodb')
app.use(express.json())
// design the access control policy rules
const rules = {
categories: {
"read": true,
"update": "!uid",
"add": "!uid",
"remove": "!uid"
}
}
const client = new MongoClient('mongodb://localhost:27017')
client.connect()
// create an accessor
const accessor = new MongoAccessor(client)
// create a policy
const policy = new Policy(accessor)
policy.load(rules)
// create an proxy
const proxy = new Proxy(accessor, policy)
app.post('/proxy', async (req, res) => {
const { uid } = parseToken(req.headers['authorization'])
const injections = {
uid: uid
}
// parse params
const params = proxy.parseParams(req.body)
// validate query
const result = await proxy.validate(params, injections)
if (result.errors) {
return res.send({
code: 1,
error: result.errors
})
}
// execute query
const data = await proxy.execute(params)
return res.send({
code: 0,
data
})
})
app.listen(8080, () => console.log('listening on 8080'))
客户端使用
npm install laf-client-sdk
const cloud = require('laf-client-sdk').init({
dbProxyUrl: 'http://localhost:8080/proxy',
getAccessToken: () => localStorage.getItem('access_token')
})
const db = cloud.database()
// 查询文档
const res = await db.collection('categories').get()
// 条件查询
const res = await db.collection('articles')
.where({status: 'published'})
.orderBy({createdAt: 'asc'})
.offset(0)
.limit(20)
.get()
// 更新
const res = await db.collection('articles')
.doc('the-doc-id').update({
title: 'new-title'
})
更多使用参考客户端使用文档
数据访问安全规则示例
简单示例 1:简单博客
{
"categories": {
"read": true,
"update": "$admin === true",
"add": "$admin === true",
"remove": "$admin === true"
},
"articles": {
"read": true,
"update": "$admin === true",
"add": "$admin === true",
"remove": "$admin === true"
}
}
简单示例 2:多用户博客
{
"articles": {
"read": true,
"update": "$userid && $userid === query.createdBy",
"add": "$userid && data.createdBy === $userid",
"remove": "$userid === query.createBy || $admin === true"
}
}
复杂示例 1: 数据验证
{
"articles": {
"add": {
"condition": "$userid && data.createdBy === $userid"
},
"remove": "$userid === query.createBy || $admin === true",
"$schema": {
"title": {"length": [1, 64], "required": true},
"content": {"length": [1, 4096]},
"like": { "number": [0,], "default": 0}
}
}
}
复杂示例 2:更高级的数据验证
场景介绍: 用户之间站内消息表访问规则
{
"messages": {
"read": "$userid && ($userid === query.receiver || $userid === query.sender)",
"update": {
"condition": "$userid && $userid === query.receiver",
"data": {
"read": {"in": [true]}
}
},
"add": {
"condition": "$userid && $userid === data.sender",
"data": {
"read": {"in": [false]}
}
},
"remove": false,
"$schema": {
"content": {"length": [1, 20480], "required": true},
"receiver": {"exists": "/users/id"},
"read": { "in": [true, false], "default": false }
}
}
}
运行测试
安装依赖
npm i
单元测试
npx mocha tests/units/*.test.js
数据库访问测试
Mongo
使用 Docker 启动个测试数据库,等待mongo 启动成功
docker pull mongo
docker run --rm -p 27018:27017 --name mongotest -d mongo
执行测试用例
npx mocha tests/mongo_db/*.test.js
停止&删除 Mongo 实例
docker rm -f mongotest
MySQL
使用 Docker 启动个测试数据库,等待mongo 启动成功
docker pull mysql
docker run --name mysqltest -e MYSQL_ROOT_PASSWORD=kissme -e MYSQL_DATABASE=testdb -d -p 3306:3306 mysql
手动创建测试使用的数据表:
create table IF NOT EXISTS categories (
id int not null auto_increment,
name varchar(64) not null,
created_at int,
primary key(id)
)ENGINE=InnoDB DEFAULT CHARSET=utf8;
create table IF NOT EXISTS articles (
id int not null auto_increment,
title varchar(64) not null,
category_id int,
content text,
created_at int,
updated_at int,
created_by int,
primary key(id)
)ENGINE=InnoDB DEFAULT CHARSET=utf8;
执行测试用例
npx mocha tests/mysql_db/*.test.js
停止&删除 Mongo 实例
docker rm -f mysqltest
执行所有测试用例
请确保已经运行 mongo 和 mysql 测试的实例;
npx mocha tests/**/*.test.js
FAQs
Through a set of access control rules configuration database access to realize the client directly access the database via HTTP.
The npm package database-proxy receives a total of 61 weekly downloads. As such, database-proxy popularity was classified as not popular.
We found that database-proxy demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 01 Apr 2024
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
Insecure Agents Podcast: Certified Patches, Supply Chain Security, and AI Agents
Socket CEO Feross Aboukhadijeh joins Insecure Agents to discuss CVE remediation and why supply chain attacks require a different security approach.
By Sarah Gooding - Jan 08, 2026
Security News
Tailwind CSS Announces 75% Layoffs as LLMs Reshape OSS Business Models
Tailwind Labs laid off 75% of its engineering team after revenue dropped 80%, as LLMs redirect traffic away from documentation where developers discover paid products.
By Sarah Gooding - Jan 08, 2026