Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
harcon-radiation
Advanced tools
Harcon-Radiation - An extension to the harcon library to automatically expose selected entities through REST and/or Websocket.
================ harcon-radiation is a small, yet handy tool extending the harcon library to provide a REST-, and Websocket-based interface to it.
Every time you publish or revoke an object-based entity, the harcon-radiation reacts to the changes and maintain the interfaces transparently.
$ npm install harcon-radiation
var harcon = new Harcon( { ... } )
harcon.init( function (err) {} )
var radiation = new Radiation( harcon )
var rest = require('connect-rest')
var connect = require('connect')
...
var app = connect()
...
app.use( radiation.rester( rest, options ) ) // Activates the REST services
...
server = http.createServer(app)
io = radiation.io( io.listen( server ) ) // Activates the Websocket services
...
harcon.addicts( {
name: 'julie',
context: 'book',
rest: true,
websocket: true,
log: function( data, callback ){
callback( null, 'Done.' )
}
} )
The example shows how you can attach the radiation to a connect/express instance and link to your harcon instance. You can activate the REST and Websocket interfaces. Any object-based entities published to harcon possessing attributes 'rest' and 'websocket' will be exposed through those interfaces automatically.
The default behavior is to publish all services. However, one can define rules to make exceptions. By setting the option hideInnerServices, harcon-radiation will hide inner services and won't publish them
var radiation = new Radiation( harcon, { hideInnerServices: true } )
harcon-radiation ignores a service in 2 cases:
var radiation = new Radiation( harcon, { hideInnerServices: true, innerServicesPrefix: '_' } )
var radiation = new Radiation( harcon, { hideInnerServices: true, innerServicesFn: function(name){
return name.startsWith('inner') || name.startsWith('sys')
} } )
There are 3 options to expose services through REST-like interface:
By default, option 1 is turned on, and the rest options are passive.
RESTful interface means a POST service using the addressing logic implemented in harcon. To address a service exposed, you have to compose a URI using the name of the division[, context], entity and service. By calling the following URI:
post -> 'http://localhost:8080/Harcon/book/log'
with a body of
{ params: [ 'Hello!'] }
will address the service 'log' of the component 'book' in the division 'Harcon'. The of the entity will be sent as JSON.
harcon-radiation supports JSON-RPC 2.0 if you create the instace as follows:
var radiation = new Radiation( harcon, rest: { jsonrpcPath: '/RPCTwo' } )
This will accept POST request on the path '/RPCTwo' respecting the JSON-RPC 2.0 standard.
Note: be aware the limitations of JSON-RPC. It does not support orchestration like divisions or contexts, therefore addressing should be limited to entityname.service, subdomains/subcontexts cannot be addressed.
The following settings will activate the Harcon-RPC option on URI '/Harcon':
var radiation = new Radiation( harcon, { rest: { harconrpcPath: '/Harcon' } } )
By sending the following JSON to the address, you can address the method 'terminus' of the entity 'marie' in the division 'King.charming':
{ division: 'King.charming', event: 'marie.terminus', params: ['Szióka!'] }
Using Websockets is also straightforward. By default, the URI will be the name of your Harcon instance. You can override it by the following config:
var radiation = new Radiation( harcon, { websocket: { socketPath: '/Socket' } } )
Send packet to that address:
var socket = ioclient( 'http://localhost:8080/Socket' )
socket.emit('ignite', { id: '10', division: 'Inflicter', event: 'book.log', params: [ 'Helloka!' ] } )
This will send the JS object to the room 'Socket'. By sending an 'ignite' message and passing the communication object you want to deliver will call the function.
The response will be sent as 'done' or 'error' message depending on the result.
Note: The ID is highly recommended to be passed to differentiate the incoming answer packets.
This service can be turned on by the following configuration:
var radiation = new Radiation( harcon, { websocket: { jsonrpcPath: '/SocketRPC' } } )
It will accept and send JSON-RPC JSON packets...
You can send out / broadcast messages to connected listeners if your business entity calls the method 'shifted', which is a built-in service of harcon letting entities to inform the system about state changes. harcon-radiation uses this mechanism to send out those messages to the websocket listeners.
this.shifted( { mood: 'happy' } )
That will send the message 'mood' to the connected clients with the data 'happy'. All properties of the object sent will be turned into separate messages to be broadcasted. And the payload of the messages will be set by the value of the given property.
Note: Considering the nature of the JSON-RPC 2.0, this level of service is available only for the 'normal' websockets clients.
harcon-radiation is using connect-rest inside and allows you to use the security features of that REST lib. Your components might possess a protector function which should retrieve protector function used by the connect-rest when it is called. The service parameter can be used to differentiate the different security aspects your services cover.
harcon.addicts( {
name: 'julie',
rest: true,
security: {
protector: function(service){
return function( req, res, pathname, path, callback ){
callback()
}
}
}
} )
About the protector functions, please find the description here.
Note: this feature is valid only for REST option 1.
Nimesis is a built-in entity of harcon-radiation providing one single service:
mimic: function( entityDef ... callback ){
It accepts harcon entity definitions as string and converts them to entity definitions then publishes it according its configuration. By default, all services will be exposed through REST and Websockets as well. Serves well when dynamic extension or ability to publish services on-the-fly is a requirement. The Nimesis Will hold only 1 definition as reference. When a new definition incomes, the previous one will be destructed.
Calling the function 'reshape' will remove the published entity.
Note: this feature is serving special purposes, use it with adequate caution.
(The MIT License)
Copyright (c) 2016 Imre Fazekas
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
See https://github.com/imrefazekas/harcon-radiation/issues.
FAQs
REST and Websocket plugin for harcon
The npm package harcon-radiation receives a total of 15 weekly downloads. As such, harcon-radiation popularity was classified as not popular.
We found that harcon-radiation demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.