express-token-api-middleware
Advanced tools
express-token-api-middleware - npm Package Compare versions
Comparing version 0.5.1 to 0.6.0
11
index.js
@@ -56,3 +56,4 @@ 'use strict'; | ||
| * @property {string|RegExp} [path] An optional request path that the user is allowed to access (falsey means no restrictions) | ||
| * @property {RateLimit|number} rate A request rate limit that will prevent a user from sending to many requests per second | ||
| * @property {RateLimit|number} [rate] A request rate limit that will prevent a user from sending to many requests per second | ||
| * @property {string|number|Date} [exp] An expiration date when the token will no longer be valid | ||
| */ | ||
@@ -127,2 +128,3 @@ | ||
| } | ||
| req.user = user; | ||
| if (user.path && !user.path.test(req.originalUrl)) { | ||
@@ -134,3 +136,8 @@ this.emitter.emit('reject', req); | ||
| } | ||
| req.user = user; | ||
| if (user.exp && user.exp < Date.now()) { | ||
| this.emitter.emit('expired', req); | ||
| let message = 'The user token has expired: ' + new Date(user.exp).toISOString(); | ||
| this.config.logger(message); | ||
| return this.config.error(req, res, next, 403, message); | ||
| } | ||
| try { | ||
@@ -137,0 +144,0 @@ this.limiter.check(user, next); |
@@ -22,2 +22,3 @@ 'use strict'; | ||
| config.path = config.path instanceof RegExp ? config.path.source : config.path; | ||
| config.exp && (config.exp = Tokens._toDate(config.exp)); | ||
| var payload = new Buffer(JSON.stringify(config), 'utf8'); | ||
@@ -36,2 +37,24 @@ var iv = crypto.randomBytes(12); | ||
| /** | ||
| * | ||
| * @param {Date|number|string} val | ||
| * @returns {Number} | ||
| * @private | ||
| */ | ||
| static _toDate(val) { | ||
| if (typeof val == 'string') { | ||
| val = Date.parse(val); | ||
| } | ||
| if (!isNaN(val)) { | ||
| val = new Date(val) | ||
| } | ||
| if (val instanceof Date) { | ||
| if (val.getTime() <= Date.now()) { | ||
| throw new Error('Invalid token configuration: already beyond expiration date'); | ||
| } | ||
| return val.getTime(); | ||
| } | ||
| throw new Error('Expiration is in an unknown format'); | ||
| } | ||
| /** | ||
| * @param {string} token The auth token on the user request | ||
@@ -38,0 +61,0 @@ * @returns {TokenConfig|null} The token config/user object or null if there was an error decoding the user. |
| { | ||
| "name": "express-token-api-middleware", | ||
| "version": "0.5.1", | ||
| "version": "0.6.0", | ||
| "description": "An express middleware that allows to protect an api behind token authentication, rate limiting and endpoint permissions.", | ||
@@ -5,0 +5,0 @@ "license": "Apache-2.0", |
@@ -102,2 +102,3 @@ # express-token-api-middleware | ||
| rate: 100, | ||
| exp: Date.now() + 86400000 | ||
| custom: 'whatever' | ||
@@ -111,3 +112,4 @@ }); | ||
| * path: A regular expression or string that will be treated as regex that decides whether the user is allowed to access an endpoint on the server. | ||
| * rate: Define the minimum interval between requests that a user can make. This setting can be a number (in ms) or a string with a unit (e.g. "100ms") | ||
| * rate: Define the minimum interval between requests that a user can make. This setting can be a number (in ms) or a string with a unit (e.g. "100ms"). | ||
| * exp: Set an expiration rate for this token. This can be a number, a Date object or a string that Date.parse understands. | ||
@@ -193,2 +195,7 @@ Rate limitation works in such a way that incoming requests will have a minimum interval of the given value. If 2 requests come in faster than that, | ||
| ### expired(req) | ||
| Triggered whenever a user token has expired. The request object includes the decrypted user object. | ||
| ### timeout(req) | ||
@@ -216,3 +223,1 @@ | ||
| * Rate limit based on number of calls instead of timing | ||
| * Maximum wait time for requests (e.g. if delay is > 1 minute, reject request) | ||
| * Events/custom handlers for different steps... but then again you can just use your own handler with the user object in the request chain. |
@@ -58,2 +58,21 @@ /* global describe, it, beforeEach, afterEach */ | ||
| it('should create a token that is time limited', done => { | ||
| var app = express(); | ||
| var tokenManager = middleware({ | ||
| password: 'test', | ||
| salt: crypto.randomBytes(16) | ||
| }); | ||
| app.use(tokenManager); | ||
| app.get('/test', (req, res) => res.end()); | ||
| var token = tokenManager.getToken({ | ||
| id: '1', | ||
| exp: Date.now() + 20 | ||
| }); | ||
| setTimeout(() => { | ||
| request(app).get('/test').set('Authorization', token).expect(403, done); | ||
| }, 50); | ||
| }); | ||
| it('should create a token that is rate limited', done => { | ||
@@ -60,0 +79,0 @@ var app = express(); |
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
Sorry, the diff of this file is not supported yet
New alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Fixed alerts
License Policy Violation
LicenseThis package is not allowed per your license policy. Review the package's license to ensure compliance.
Found 1 instance in 1 package
Improved metrics
- Total package byte prevSize
- increased by9.8%
81007
- Number of package files
- increased by11.11%
20
- Lines of code
- increased by13.41%
592
- Number of lines in readme file
- increased by2.33%
220