angel_security 1.0.2

  • README.md
  • Installing
  • Versions
  • 59

security

version 1.0.2 build status

Angel middleware designed to enhance application security by patching common Web security holes.

Sanitizing HTML

app.before.add(sanitizeHtmlInput());

// Or:
app.chain(sanitizeHtmlInput()).get(...)

CSRF Tokens

app.chain(verifyCsrfToken()).post('/form', ...);
app.responseFinalizers.add(setCsrfToken());

Banning by IP

app.before.add(banIp('1.2.3.4'));

// Or a range:
app.before.add(banIp('1.2.3.*'));
app.before.add(banIp('1.2.*.4'));

// Or multiple filters:
app.before.add(banIp(['1.2.3.4', '192.*.*.*', new RegExp(r'1\.2.\3.\4')]));

// Also can ban origins
app.before.add(banOrigin('*.known-attacker.com'));

// By default, `banOrigin` forces users to have an `Origin` header.
// Use this flag to disable it:
app.before.add(banOrigin('evil.site', allowEmptyOrigin: true));

Trusted Proxy

Works well with Apache or Nginx.

// ONLY trust localhost X-Forwarded-* headers
app.before.add(trustProxy('127.0.0.1'));

Throttling Requests

Throws a 429 error if the given rate limit is exceeded.

// Example: 5 requests per minute
app.before.add(throttleRequests(5, new Duration(minutes: 1)));

Helmet

Supplementary security library

Service Hooks

Also included are a set of service hooks, some ported from FeathersJS. Others are created just for Angel.

import 'package:angel_security/hooks.dart' as hooks;

Included:

  • addUserToParams
  • associateCurrentUser,
  • hashPassword
  • queryWithCurrentUser
  • restrictToAuthenticated
  • restrictToOwner
  • variantPermission

Also exported is the helper function isServerSide. Use this to determine whether a service method is being called by the server, or by a client.

Permissions

Permissions are a great way to restrict access to resources.

They take the form of:

  • service:foo
  • service:create:*
  • some:arbitrary:permission:*:with:*:a:wild:*card

The specifics are up to you.

var permission = new Permission('admin | users:find');

// Or:
// PermissionBuilders support + and | operators. Operands can be Strings, Permissions or PermissionBuilders.
var permission = (new PermissionBuilder('admin') | (new PermissionBuilder('users') + 'find')).toPermission();

// Transform into middleware
app.chain(permission.toMiddleware()).get('/protected', ...);

// Or as a service hook
app.service('protected').beforeModify(permission.toHook());

// Dynamically create a permission hook.
// This helps in situations where the resources you need to protect are dynamic.
//
// `variantPermission` is included in the `package:angel_security/hooks.dart` library.
app.service('posts').beforeModify(variantPermission((e) {
    return new PermissionBuilder('posts:modify:${e.id}');
}));

1. Depend on it

Add this to your package's pubspec.yaml file:


dependencies:
  angel_security: "^1.0.2"

2. Install it

You can install packages from the command line:

with pub:


$ pub get

Alternatively, your editor might support pub get. Check the docs for your editor to learn more.

3. Import it

Now in your Dart code, you can use:


import 'package:angel_security/angel_security.dart';
        
Version Uploaded Documentation Archive
1.0.2 Mar 29, 2017 Go to the documentation of angel_security 1.0.2 Download angel_security 1.0.2 archive
1.0.0 Mar 2, 2017 Go to the documentation of angel_security 1.0.0 Download angel_security 1.0.0 archive
0.0.7 Feb 1, 2017 Go to the documentation of angel_security 0.0.7 Download angel_security 0.0.7 archive
0.0.6 Jan 29, 2017 Go to the documentation of angel_security 0.0.6 Download angel_security 0.0.6 archive
0.0.5 Jan 28, 2017 Go to the documentation of angel_security 0.0.5 Download angel_security 0.0.5 archive
1.0.0-alpha+1 Mar 2, 2017 Go to the documentation of angel_security 1.0.0-alpha+1 Download angel_security 1.0.0-alpha+1 archive
1.0.0-alpha Feb 28, 2017 Go to the documentation of angel_security 1.0.0-alpha Download angel_security 1.0.0-alpha archive
0.0.0-alpha+4 Jan 21, 2017 Go to the documentation of angel_security 0.0.0-alpha+4 Download angel_security 0.0.0-alpha+4 archive
0.0.0-alpha+3 Jan 21, 2017 Go to the documentation of angel_security 0.0.0-alpha+3 Download angel_security 0.0.0-alpha+3 archive
0.0.0-alpha+2 Jan 14, 2017 Go to the documentation of angel_security 0.0.0-alpha+2 Download angel_security 0.0.0-alpha+2 archive

All 12 versions...

Analysis

This feature is new.
We welcome feedback.

We analyzed this package, and provided a score, details, and suggestions below.

  • tool failures on Dec 6, 2017
  • Dart: 2.0.0-dev.8.0
  • pana: 0.7.3+1

Scores

Popularity:
Describes how popular the package is relative to other packages. [more]
67
Health:
Code health derived from static analysis. [more]
58
Maintenance:
Reflects how tidy and up-to-date the package is. [more]
41
Overall score:
Weighted score of the above. [more]
59

Platforms

Detected platforms:

Error(s) prevent platform classification.

Suggestions

  • Fix lib/src/csrf.dart.

    Strong-mode analysis of lib/src/csrf.dart failed with the following error:

    line: 3 col: 8
    Target of URI doesn't exist: 'package:uuid/uuid.dart'.

  • Fix lib/src/hooks/hash_password.dart.

    Strong-mode analysis of lib/src/hooks/hash_password.dart failed with the following error:

    line: 3 col: 8
    Target of URI doesn't exist: 'package:crypto/crypto.dart'.

  • Fix further 3 Dart files.

    Similar analysis of the following files failed:

    • lib/src/hooks/query_with_current_user.dart
    • lib/src/hooks/restrict_to_owner.dart
    • lib/src/hooks/associate_current_user.dart
  • Maintain CHANGELOG.md.

    Changelog entries help clients to follow the progress in your code.

Dependencies

Package Constraint Resolved Available
Direct dependencies
angel_framework ^1.0.0-dev 1.1.0
Transitive dependencies
angel_http_exception 1.0.0
angel_model 1.0.0
angel_route 2.0.5
async 2.0.1
body_parser 1.0.3
charcode 1.1.1
collection 1.14.3
combinator 1.0.0-beta+7
container 0.1.2
http_server 0.9.6
json_god 2.0.0-beta+1
logging 0.11.3+1
matcher 0.12.1+4
merge_map 1.0.0
meta 1.1.2
mime 0.9.4
path 1.5.1
pool 1.3.3
quiver_hashcode 1.0.0
random_string 0.0.1
source_span 1.4.0
stack_trace 1.9.1
string_scanner 1.0.2
tuple 1.0.1
Dev dependencies
angel_auth ^1.0.0-dev
angel_diagnostics ^1.0.0-dev
angel_test ^1.0.0-dev
angel_validate ^1.0.0-beta
test ^0.12.0