-
Notifications
You must be signed in to change notification settings - Fork 459
Using krakenjs middleware config for allowlisting and blocklisting routes
Building from the kraken-js default of mounting routes from /routes/index.js:
- the
lib/authmodule (see here) will check authentication before the built-in router for all/auth/*routes. - Any protected routes will be mounted via
/routes/auth.js(see here)
{
"middleware": {
"auth": {
"enabled": true,
"priority": 119, // just before the built-in router
"route": "/auth",
"module": {
"name": "path:./lib/auth",
"arguments": [ "admin", "password" ]
}
},
"auth-router": {
"enabled": true,
"priority": 121, // just after the build-in router
"route": "/auth",
"module": {
"name": "express-enrouten",
"arguments": [{ "index": "path:./routes/auth" }]
}
}
}
}Any routes defined under different namespaces will not require authentication per this configuration.
Clone middleware-patterns and run the allowlist pattern.
The blocklist pattern relies on the way express builds its route-map, internally. Each route you define is converted to an equivalent RegExp by means of the path-to-regexp module. We can exploit this fact to build a route with one or more negative lookaheads:
"middleware": {
"auth": {
"priority": 119,
"enabled": true,
"route": "\/((?!$))((?!login))((?!logout))*", //run on every route EXCEPT /login and /logout
"module": {
"name": "path:./lib/auth"
}
},If you use the blocklist pattern, verify the generated regex is what you want. You can generate the regex with [email protected] and check it against a regex visualizer like regulex. Don't forget about optional trailing slashes.
Clone middleware-patterns and run the blocklist pattern.