hpkp - npm Package Compare versions

Comparing version 0.1.0 to 0.2.0

index.js

@@ -1,7 +0,4 @@
-var arrayWrap = require('arraywrap');
+var badArgumentsError = new Error('hpkp must be called with a maxAge and at least two SHA-256s (one actually used and another kept as a backup).');
 
-var badArgumentsError = new Error('hpkp must be called with a maxAge and at least one sha256.');
-
 module.exports = function hpkp(passedOptions) {
-
   var options = parseOptions(passedOptions);
@@ -15,21 +12,18 @@ var headerKey = getHeaderKey(options);
   };
-
 };
 
 function parseOptions(options) {
-  if ((!options) ||
-      (options.maxage && options.maxAge) ||
-      (options.sha256 && options.sha256s)) {
-    throw badArgumentsError;
-  }
+  if (!options) { throw badArgumentsError; }
 
+  if (options.maxage && options.maxAge) { throw badArgumentsError; }
+
   var maxAge = options.maxAge || options.maxage;
-  var sha256s = options.sha256 || options.sha256s;
-  if (!maxAge || !sha256s || (maxAge <= 0)) {
-    throw badArgumentsError;
-  }
+  var sha256s = options.sha256s;
 
+  if (!maxAge || (maxAge <= 0)) { throw badArgumentsError; }
+  if (!sha256s || (sha256s.length < 2)) { throw badArgumentsError; }
+
   return {
     maxAge: maxAge,
-    sha256s: arrayWrap(sha256s),
+    sha256s: sha256s,
     includeSubdomains: options.includeSubdomains,
@@ -52,3 +46,3 @@ reportUri: options.reportUri
   });
-  result.push('max-age=' + Math.round(options.maxAge / 1001));
+  result.push('max-age=' + Math.round(options.maxAge / 1000));
   if (options.includeSubdomains) {
@@ -55,0 +49,0 @@ result.push('includeSubdomains');

package.json

 {
   "name": "hpkp",
   "author": "Adam Baldwin <baldwin@andyet.net> (http://andyet.net/team/baldwin)",
+  "license": "MIT",
   "contributors": [
-    "Evan Hahn <me@evanhahn.com> (http://evanhahn.com)"
+    "Evan Hahn <me@evanhahn.com> (http://evanhahn.com)",
+    "Tom Delmas <tdelmas@gmail.com> (https://tdelmas.ovh)"
   ],
   "description": "HTTP Public Key Pinning (HPKP) middleware",
-  "version": "0.1.0",
+  "version": "0.2.0",
   "keywords": [
@@ -31,6 +33,3 @@ "helmet",
     "supertest": "^0.15.0"
-  },
-  "dependencies": {
-    "arraywrap": "^0.1.0"
   }
 }

README.md

 # HTTP Public Key Pinning (HPKP) middleware
 
-Adds Public Key Pinning headers to Express/Connect applications. To learn more about HPKP, check out [the spec](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning), [the article on MDN](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning), and [this tutorial](https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/).
+Adds Public Key Pinning headers to Express/Connect applications. To learn more about HPKP, check out [the spec](https://tools.ietf.org/html/rfc7469), [the article on MDN](https://developer.mozilla.org/en-US/docs/Web/Security/Public_Key_Pinning), and [this tutorial](https://timtaubert.de/blog/2014/10/http-public-key-pinning-explained/).
 
@@ -5,0 +5,0 @@ Usage:

test/index.js

@@ -20,27 +20,2 @@ var hpkp = require('..');
 
-    it('sets header with one string key called "sha256"', function (done) {
-      test({ maxAge: 10000, sha256: 'abc123' })
-      .expect('Public-Key-Pins', 'pin-sha256="abc123"; max-age=10', done);
-    });
-
-    it('sets header with one string key called "sha256s"', function (done) {
-      test({ maxAge: 10000, sha256s: 'abc123' })
-      .expect('Public-Key-Pins', 'pin-sha256="abc123"; max-age=10', done);
-    });
-
-    it('sets header with a single-value array key called "sha256"', function (done) {
-      test({ maxAge: 10000, sha256: ['abc123'] })
-      .expect('Public-Key-Pins', 'pin-sha256="abc123"; max-age=10', done);
-    });
-
-    it('sets header with a single-value array key called "sha256s"', function (done) {
-      test({ maxAge: 10000, sha256s: ['abc123'] })
-      .expect('Public-Key-Pins', 'pin-sha256="abc123"; max-age=10', done);
-    });
-
-    it('sets header with a multi-value array key called "sha256"', function (done) {
-      test({ maxAge: 10000, sha256: ['abc123', 'xyz456'] })
-      .expect('Public-Key-Pins', 'pin-sha256="abc123"; pin-sha256="xyz456"; max-age=10', done);
-    });
-
     it('sets header with a multi-value array key called "sha256s"', function (done) {
@@ -52,29 +27,29 @@ test({ maxAge: 10000, sha256s: ['abc123', 'xyz456'] })
     it('allows lowercase "maxage"', function (done) {
-      test({ maxage: 10000, sha256: 'abc123' })
-      .expect('Public-Key-Pins', 'pin-sha256="abc123"; max-age=10', done);
+      test({ maxage: 10000, sha256s: ['abc123', 'xyz456'] })
+      .expect('Public-Key-Pins', 'pin-sha256="abc123"; pin-sha256="xyz456"; max-age=10', done);
     });
 
     it('can include subdomains', function (done) {
-      test({ maxage: 10000, sha256: 'abc123', includeSubdomains: true })
-      .expect('Public-Key-Pins', 'pin-sha256="abc123"; max-age=10; includeSubdomains', done);
+      test({ maxage: 10000, sha256s: ['abc123', 'xyz456'], includeSubdomains: true })
+      .expect('Public-Key-Pins', 'pin-sha256="abc123"; pin-sha256="xyz456"; max-age=10; includeSubdomains', done);
     });
 
     it('changes the header when using a report URI', function (done) {
-      test({ maxage: 10000, sha256: 'abc123', reportUri: 'http://example.com' })
-      .expect('Public-Key-Pins-Report-Only', 'pin-sha256="abc123"; max-age=10; report-uri="http://example.com"', done);
+      test({ maxage: 10000, sha256s: ['abc123', 'xyz456'], reportUri: 'http://example.com' })
+      .expect('Public-Key-Pins-Report-Only', 'pin-sha256="abc123"; pin-sha256="xyz456"; max-age=10; report-uri="http://example.com"', done);
     });
 
     it('changes the header when using a report URI and includes subdomains', function (done) {
-      test({ maxage: 10000, sha256: 'abc123', reportUri: 'http://example.com', includeSubdomains: true })
-      .expect('Public-Key-Pins-Report-Only', 'pin-sha256="abc123"; max-age=10; includeSubdomains; report-uri="http://example.com"', done);
+      test({ maxage: 10000, sha256s: ['abc123', 'xyz456'], reportUri: 'http://example.com', includeSubdomains: true })
+      .expect('Public-Key-Pins-Report-Only', 'pin-sha256="abc123"; pin-sha256="xyz456"; max-age=10; includeSubdomains; report-uri="http://example.com"', done);
     });
 
     it('rounds down to the nearest second', function (done) {
-      test({ maxAge: 1234, sha256: 'abc123' })
-      .expect('Public-Key-Pins', 'pin-sha256="abc123"; max-age=1', done);
+      test({ maxAge: 1234, sha256s: ['abc123', 'xyz456'] })
+      .expect('Public-Key-Pins', 'pin-sha256="abc123"; pin-sha256="xyz456"; max-age=1', done);
     });
 
     it('rounds up to the nearest second', function (done) {
-      test({ maxAge: 1567, sha256: 'abc123' })
-      .expect('Public-Key-Pins', 'pin-sha256="abc123"; max-age=2', done);
+      test({ maxAge: 1567, sha256s: ['abc123', 'xyz456'] })
+      .expect('Public-Key-Pins', 'pin-sha256="abc123"; pin-sha256="xyz456"; max-age=2', done);
     });
@@ -86,3 +61,3 @@
     assert.equal(hpkp.name, 'hpkp');
-    assert.equal(hpkp.name, hpkp({ maxAge: 10000, sha256: 'abc123' }).name);
+    assert.equal(hpkp.name, hpkp({ maxAge: 10000, sha256s: ['abc123', 'xyz456'] }).name);
   });
@@ -108,18 +83,14 @@
     it('fails if called without a max-age', function () {
-      [
-        { sha256: 'abc123' },
-        { sha256: ['abc123'] },
-        { sha256s: 'abc123' },
-        { sha256s: ['abc123'] }
-      ].forEach(function (value) {
-        assert.throws(callWith(value));
-      });
+      assert.throws(callWith({ sha256s: ['abc123', 'xyz456'] }));
     });
 
-    it('fails if called without SHAs', function () {
+    it('fails if called with fewer than 2 SHAs', function () {
       [
-        { maxAge: 10000 },
-        { maxage: 10000 }
+        undefined,
+        null,
+        'abc123',
+        [],
+        ['abc123']
       ].forEach(function (value) {
-        assert.throws(callWith(value));
+        assert.throws(callWith({ maxAge: 10000, sha256s: value }));
       });
@@ -129,19 +100,15 @@ });
     it('fails if called with a zero maxAge', function () {
-      assert.throws(callWith({ maxAge: 0, sha256: 'abc123' }));
+      assert.throws(callWith({ maxAge: 0, sha256s: ['abc123', 'xyz456'] }));
     });
 
     it('fails if called with a negative maxAge', function () {
-      assert.throws(callWith({ maxAge: -1000, sha256: 'abc123' }));
+      assert.throws(callWith({ maxAge: -1000, sha256s: ['abc123', 'xyz456'] }));
     });
 
     it('fails if called with both types of maxAge argument', function () {
-      assert.throws(callWith({ maxAge: 1000, maxage: 1000, sha256: 'abc123' }));
+      assert.throws(callWith({ maxAge: 1000, maxage: 1000, sha256s: ['abc123', 'xyz456'] }));
     });
 
-    it('fails if called with both types of SHA argument', function () {
-      assert.throws(callWith({ maxAge: 1000, sha256: 'abc123', sha256s: 'xyz456' }));
-    });
-
   });
 
 });

New alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Fixed alerts

License Policy Violation

License

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Found 1 instance in 1 package

Improved metrics

Dependency count

0

decreased by-100%

Worsened metrics

Total package byte prevSize

8035

decreased by-12.12%

Lines of code

129

decreased by-19.88%

Dependency changes

• - Removedarraywrap@^0.1.0

• - Removedarraywrap@0.1.0(transitive)