Research
Security News
Quasar RAT Disguised as an npm Package for Detecting Vulnerabilities in Ethereum Smart Contracts
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
json-proxy-middleware
Advanced tools
This is a simple middleware utility that can be used to proxy JSON requests for Express node.js servers. This is most useful when you want to simply pass a response from a service to a client, without needing to buffer or modify it. For example, your server could do an authentication check, and then simply stream the data from the service to the client.
Assuming you have an express Router, here's a quick way to get things wired up:
import express from "express";
import jsonProxy from "json-proxy-middleware";
const router = new express.Router();
router.get(
"/service/proxy/path",
(req, res, next) => {
if (req.user.isLoggedIn) {
next();
}
},
jsonProxy({
urlHost: "https://my.service.url",
headers: {
"x-custom-header-calling-application-name": "my-application"
}
}),
(error, req, res, next) => {
res.status(500).json({
message: "Whoops! The Proxy Middleware Broke!"
});
}
);
export default router;
In the example above, let's break down what happened in our router:
jsonProxy
middleware RequestHandler
, and pointed it to
https://my.service.url
, and attached some custom HTTP headers for the
service.json-proxy-middleware
is designed to be fairly flexible, yet performant for
configuring how & where you proxy requests through your node.js middletier.
The quick start above includes the barebones to get you up and running. Below
is the full API with some details on how to use the middleware in a variety
of different scenarios.
There is a single, default export from the utility, and that is the middleware itself:
import jsonProxy from "json-proxy-middleware";
It takes a single ProxyMiddlewareOptions
object, and returns a RequestHandler
function:
jsonProxy({
additionalLogMessage: "custom appended log message",
headers: {
"custom-additional-http-header": "value"
}
logger: console,
urlHost: "https://my.service.uri",
});
property | type | description |
---|---|---|
additionalLogMessage | string (optional) | a message that will be appended to proxy start/end/error logging |
headers(req, res) | object /function (optional) | an object or function that returns an object with additional headers to forward on the proxied request |
logger | logger instance (optional) | any valid logger instance with methods .info() and .error() to be called with logging messages |
urlHost(req, res) | string /function | a string or function that returns a string indicating a host to have a request proxied to |
additionalLogMessage
When a logger is provided, this message will be appended to to info/error logs and can be used to customize the log messages per jsonProxy usage as needed.
headers
When provided, these will be appended to the default headers that we forward. By default we provide the headers necessary for JSON requests:
{
Accept: "application/json",
"Content-Type": "application/json"
}
If you'd like, you can provide an object with static headers to forward, like so:
jsonProxy({
headers: { "custom-http-header": "static value" }
});
In some cases, you need to also forward request headers that came in from the client, or you might need to forward headers based on the request itself. In that case, you can provide a function that the middleware will call for each incoming proxy request:
jsonProxy({
headers(req, res) {
return {
userId: req.user.getId(),
session: req.sessionId
// etc
};
}
});
Setting headers this way allows you to perform a white or black list style header forwarding for the proxy as well.
logger
When a logger is provided, json-proxy-middleware
will log out information useful
for debugging, such as when a proxy request started, when it ended, and how long it
took. We also log out errors in the event those occur. You can provide any kind of
logger you prefer, as long as it has a .info()
and .error()
log level method to
invoke.
urlHost
The urlHost
is combined with the path on the proxy to perform a request. It is
required, and you can provide either a string
or function
that returns a string
for the request. The simplest example looks like this:
router.get(
"/service/REST/v1",
jsonProxy({ urlHost: "https://my.service.url" })
);
This will result in jsonProxy
making a GET
request to:
https://my.service.url/service/REST/v1
Because of the way Express are designed with their routing, you can also leverage this with regex / glob paths, like so:
router.get(
"/service/REST/v1/**",
jsonProxy({ urlHost: "https://my.service.url" })
);
This will mean that json-proxy-middleware
will proxy any paths that match.
It's a great idea to understand if this will open up security holes in your
service, and in general proxying requests through globs requires some thought &
coordination with the proxied service.
Another thing to note with Express servers, is that you can mount routes at
different base paths. json-proxy-middleware
by default navigates this for you,
so keep that in mind when using proxy routers in scenarios like this:
import express from "express";
const server = express();
const router = express.Router();
router.get(
"/service/REST/v1/**",
jsonProxy({ urlHost: "https://my.service.url" })
);
server.use("/proxy", router);
In this case, your clients will be making requests to /proxy/service/REST/v1/**
,
but json-proxy-middleware
will be proxying requests to
https://my.service.url/service/REST/v1/**
, removing the /api
portion from the
request.
FAQs
Simple express.js friendly json proxy middleware utility
The npm package json-proxy-middleware receives a total of 15 weekly downloads. As such, json-proxy-middleware popularity was classified as not popular.
We found that json-proxy-middleware demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket researchers uncover a malicious npm package posing as a tool for detecting vulnerabilities in Etherium smart contracts.
Security News
Research
A supply chain attack on Rspack's npm packages injected cryptomining malware, potentially impacting thousands of developers.
Research
Security News
Socket researchers discovered a malware campaign on npm delivering the Skuld infostealer via typosquatted packages, exposing sensitive data.