Security News
Research
Data Theft Repackaged: A Case Study in Malicious Wrapper Packages on npm
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Provides a set of decorators for handling authentication and authorization concerns within a React application.
A common need when building React applications is the ability to detect if the user is logged in and redirect them to the login page/experience if they are not.
For this example, pretend we have an application that displays a collection of blog posts for the logged in user. If the user is not logged in (not authenticated) then we want to redirect them to /login
. If they are authenticated, then we want to display the application as normal.
To accomplish that, we're going to wrap the root component of our application (called Master
) with a UserIsAuthenticated
decorator that determines whether the user is logged in. For this example, we're storing a user token in localStorage, so our condition for determining whether the user is logged in is whether that token exists.
// file: routes.js
var AuthenticationGenerator = require('lore-auth').generators.AuthenticationGenerator;
var UserIsAuthenticated = AuthenticationGenerator({
wrapperDisplayName: 'UserIsAuthenticated',
// redirectUrl: '/login',
// redirectQueryParamName: 'redirect',
isAuthenticated: function (storeState) {
return !!localStorage.userToken;
}
});
// Routes
var Master = require('./src/components/Master');
var Posts = require('./src/components/Posts');
var Login = require('./src/components/Login');
var Logout = require('./src/components/Logout');
module.exports = (
<Route>
<Route path="/login" component={Login} />
<Route path="/logout" component={Logout} />
<Route>
<Route path="/" component={UserIsAuthenticated(Master)}>
<Route path="posts" component={Posts} />
</Route>
</Route>
</Route>
);
Let's say our example application is changed to display a list of posts for all users, but the API only lets users edit their own posts (i.e. posts they created). Translating that concern to the user interface, it means we only want to display the edit
button if a user is the creator of the post.
// file: src/components/Post
// This component will render the EditPostButton component, but we
// only want that component to be rendered if the user created the Post
var React = require('react');
var EditPostButton = require('./EditPostButton');
var PropTypes = require('prop-types');
module.exports = React.createClass({
displayName: 'Post',
propTypes: {
user: PropTypes.object.isRequired,
post: PropTypes.object.isRequired
},
render: function () {
var user = this.props.user;
var post = this.props.post;
return (
<div>
<h1>{post.data.title}</h1>
<p>{post.data.text}</p>
<EditPostButton post={post} user={user} />
</div>
);
}
});
// file: src/components/EditPostButton
// This component will be wrapped in a custom decorator called 'UserIsPostCreator' that
// will only display the button if the current user created the post
var React = require('react');
var AuthorizationGenerator = require('lore-auth').generators.AuthorizationGenerator;
var PropTypes = require('prop-types');
var UserIsPostCreator = AuthorizationGenerator({
wrapperDisplayName: 'UserIsPostCreator',
propTypes: {
post: PropTypes.object.isRequired,
user: PropTypes.object.isRequired
},
isAuthorized: function () {
var post = this.props.post;
var user = this.props.user;
return post.data.creatorId === user.id;
}
});
module.exports = UserIsPostCreator(React.createClass({
displayName: 'EditPostButton',
propTypes: {
user: PropTypes.object.isRequired,
post: PropTypes.object.isRequired
},
onEditPost: function() {
// launch edit dialog...
},
render: function () {
return (
<button onClick={this.onEditPost}>
Edit Post
</button>
);
}
}));
This file provides the component that generators/AuthenticationGenerator
and generators/AuthorizationGenerator
use as their foundation. It contains the following methods that can/should be overriden by the generators created from it in order to tailor it's behavior to provide a more semantic interface:
componentWillMount
is predicate
returns true. No-op by default (function does nothing).componentWillMount
is predicate
returns false. No-op by default (function does nothing)predicate
returns true. By default, this renders the component it decorates, passing down the properties it receivedpredicate
returns false. By defult, this renders null
.This file is intended to be used as the foundation for your UserIsAuthenticated
decorator. It overrides the default methods provided by the AuthGeneratorFactory
component to provide the following interface:
var AuthenticationGenerator = require('lore-auth').generators.AuthenticationGenerator;
var UserIsAuthenticated = AuthenticationGenerator({
wrapperDisplayName: 'UserIsAuthenticated',
// redirectUrl: '/login',
// redirectQueryParamName: 'redirect',
isAuthenticated: function (storeState) {
return !!localStorage.userToken;
}
});
This file is intended to be used as the foundation for custom UserIsX
decorators that determine whether components should be displayed based on some user permission. It overrides the default methods provided by the AuthGeneratorFactory
component to provide the following interface:
If the user is not authorized, the component it wraps will not be rendered, though you could provide a custom component (or pass down additional props) by overriding the renderFailure
method to change that default.
var AuthorizationGenerator = require('lore-auth').generators.AuthorizationGenerator;
var PropTypes = require('prop-types');
var UserIsPostCreator = AuthorizationGenerator({
wrapperDisplayName: 'UserIsPostCreator',
propTypes: {
post: PropTypes.object.isRequired,
user: PropTypes.object.isRequired
},
isAuthorized: function () {
var post = this.props.post;
var user = this.props.user;
return post.data.creator === user.id;
}
});
This file is intended to be used as a generic decorator that will only render the decorated component if the function it takes returns true. It's mostly a conveinance decorator, so you don't neccesarily have to create custom decorators like UserIsPostCreator
or UserIsAdmin
.
For example, instead of creating a custom UserIsPostCreator
decorator as in our example above, we could use this decorator instead like so:
var UserIsAuthorized = require('lore-auth').decorators.UserIsAuthorized;
var PropTypes = require('prop-types');
module.exports = UserIsAuthorized(function(props, storeState){
return props.post.data.creatorId === props.user.id;
})(React.createClass({
displayName: 'EditPostButton',
propTypes: {
user: PropTypes.object.isRequired,
post: PropTypes.object.isRequired
},
onEditPost: function() {
// launch edit dialog...
},
render: function () {
return (
<button onClick={this.onEditPost}>
Edit Post
</button>
);
}
}));
The disadvantage to using this component is that it is not as semantically clear what this decorator is doing. Instead of being able to read something like UserIsPostCreator
and thinking "okay, so this component will be rendered if the user is the creator of the post" you (or other developers) will need to read the code to decipher the intent.
Another use for authorization might be to show/hide a badge based on information about the relationship between two people. For example, maybe you want to display a badge on all posts that were created by your friends, or on all posts that have over 500 likes. You could also use the "Authorization" component to control that behavior, or create your own generator using AuthGeneratorFactory
and referencing AuthenticationGenerator
or AuthorizationGenerator
as an example implementation.
FAQs
Set of decorators to help with authentication and authorization
We found that lore-auth demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Research
The Socket Research Team breaks down a malicious wrapper package that uses obfuscation to harvest credentials and exfiltrate sensitive data.
Research
Security News
Attackers used a malicious npm package typosquatting a popular ESLint plugin to steal sensitive data, execute commands, and exploit developer systems.
Security News
The Ultralytics' PyPI Package was compromised four times in one weekend through GitHub Actions cache poisoning and failure to rotate previously compromised API tokens.