Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Koa-style middleware concept to quickly build AWS Lambda functions
Use Koa style middlewares and the kompose
method. Examples can be found in handlers e.g. user/addToHistory.ts
A handler is therefore simply equal to the outcome of kompose
e.g.
export const handler = kompose(
callbackBased,
...,
async (ctx, next) => {
... // <- this is called while going down the middleware chain
await next()
... // <- this is called once the bottom of the chain has been reached and we are going back up the chain
},
...
)
A middleware follows the following rules:
ctx:EventContext
and next
(optional, see Utility middlewares below)ctx
contains three properties: event:AWSEvent
, context:AWSContext
and state
. The event type varies depending on the trigger of the lambda function.async
functions; they should always call await next()
(or next && await next()
in the case of utility)await next()
call is processed down the middleware chainawait next()
call is processed up the middleware chainthrow
an error, not return a rejected promisectx.state
objectctx.state.response
property to be populated{message: '...', code: 42}
In case of utility middlewares, that are expected to be used both as normal functions and as part of a middleware chain:
next
parameter should be made optional (next?
)next
should be made optional with the statement next && await next()
E.g. withUserId
can be used as a part of a chain, when user isn't needed (only id) but it is also used within withUser
as normal function
↓ means acts down the chain; ↑ up the chain
Decide how the outcome of the Lambda function is triggered. Http calls use callback, whereas Cognito triggers use context for example. As of this writing, one of the two must be used as the top middleware for any handler function
Handles Http responses, both success and error. standardHttpResponse
simply uses a default code 200 for success, as well as default CORS enabled and JSON content.
Reads the user Id from the request and adds it as ctx.state.userId
Reads the user Id and loads the corresponding user object. Adds the user as ctx.state.user
Note: Does not require withUserId
to be added to the chain as it is already part of the code of withUser.
JSON-Parses the body of a POST. Sets the parsed object back onto ctx.state.body
(overwrites original)
Takes value with specified name and puts it in the state
filter the specified argument by specified function
Takes a "check" callback which receives the context, and a middleware. If check passes (either as a boolean or a Promise which resolves with a boolean), middleware is called.
Note: Check promise rejection is not currently considered a fail of the check
Similar to when
but checks whether a given attribute exists on the state. Uses lodash.get
for shortcut (dot notation)
Similar to whenAttributeExists
but checks whether the given attribute equals the given value.
koa-compose
initialisation higher to avoid checking functions twice (thank you @yujilim)FAQs
Koa-like middleware framework to build AWS Lambda functions
The npm package koalambda receives a total of 0 weekly downloads. As such, koalambda popularity was classified as not popular.
We found that koalambda demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.