api-decooyy/sample-api.js

A plug-and-play security gateway that detects malicious traffic and redirects it to a decoy API

// sample-api.js
const express = require('express');
const app = express();
const PORT = process.env.PORT || 8080;

// Enable JSON parsing
app.use(express.json());

// Mock database
const users = [
  { id: 1, username: 'admin', email: 'admin@example.com' },
  { id: 2, username: 'user1', email: 'user1@example.com' },
  { id: 3, username: 'user2', email: 'user2@example.com' }
];

const products = [
  { id: 1, name: 'Product A', price: 99.99 },
  { id: 2, name: 'Product B', price: 149.99 },
  { id: 3, name: 'Product C', price: 199.99 }
];

// Routes
app.get('/api/users', (req, res) => {
  res.json(users);
});

app.get('/api/users/:id', (req, res) => {
  // Vulnerable to injection - no input validation
  const id = req.params.id;
  const user = users.find(u => u.id == id);
  
  if (user) {
    res.json(user);
  } else {
    res.status(404).json({ error: 'User not found' });
  }
});

app.get('/api/products', (req, res) => {
  res.json(products);
});

app.get('/api/products/:id', (req, res) => {
  const id = req.params.id;
  const product = products.find(p => p.id == id);
  
  if (product) {
    res.json(product);
  } else {
    res.status(404).json({ error: 'Product not found' });
  }
});

// Vulnerable search endpoint
app.get('/api/search', (req, res) => {
  const query = req.query.q || '';
  
  // Very vulnerable implementation - no sanitization
  const results = {
    query: query,
    timestamp: new Date().toISOString(),
    results: products.filter(p => p.name.includes(query))
  };
  
  res.json(results);
});

// Start the server
app.listen(PORT, () => {
  console.log(`Sample API running on port ${PORT}`);
});