UNPKG

@aikidosec/firewall

Version:

Zen by Aikido is an embedded Application Firewall that autonomously protects Node.js apps against common and critical attacks, provides rate limiting, detects malicious traffic (including bots), and more.

aikido.dev/zen

AikidoSec/firewall-node

88 lines (87 loc) 2.76 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.getApiAuthType = getApiAuthType; const isHTTPAuthScheme_1 = require("../../helpers/isHTTPAuthScheme"); // Incoming request headers are lowercase in Node.js const commonApiKeyHeaderNames = [ "x-api-key", "api-key", "apikey", "x-token", "token", ]; const commonAuthCookieNames = [ "auth", "session", "jwt", "token", "sid", "connect.sid", "auth_token", "access_token", "refresh_token", ...commonApiKeyHeaderNames, ]; /** * Get the authentication type of the API request. * Returns undefined if the authentication type could not be determined. */ function getApiAuthType(context) { if (!context.headers || typeof context.headers !== "object" || Array.isArray(context.headers)) { return undefined; } // Allow multiple auth types const result = []; // Check the Authorization header const authHeader = context.headers.authorization; if (typeof authHeader === "string") { const authHeaderType = getAuthorizationHeaderType(authHeader); if (authHeaderType) { result.push(authHeaderType); } } // Check for type apiKey in headers and cookies result.push(...findApiKeys(context)); return result.length > 0 ? result : undefined; } /** * Get the authentication type from the Authorization header. */ function getAuthorizationHeaderType(authHeader) { if (!authHeader.length) { return undefined; } if (authHeader.includes(" ")) { const [type, value] = authHeader.split(" "); if (typeof type === "string" && typeof value === "string") { if ((0, isHTTPAuthScheme_1.isHTTPAuthScheme)(type)) { return { type: "http", scheme: type.toLowerCase() }; } } } // Default to apiKey if the auth type is not recognized return { type: "apiKey", in: "header", name: "Authorization" }; } /** * Search for api keys in headers and cookies. */ function findApiKeys(context) { const result = []; for (const header of commonApiKeyHeaderNames) { if (context.headers[header]) { result.push({ type: "apiKey", in: "header", name: header }); } } if (context.cookies && typeof context.cookies === "object" && !Array.isArray(context.cookies) && Object.keys(context.cookies).length > 0) { const relevantCookies = Object.keys(context.cookies).filter((cookieName) => commonAuthCookieNames.includes(cookieName.toLowerCase())); for (const cookie of relevantCookies) { result.push({ type: "apiKey", in: "cookie", name: cookie }); } } return result; }