UNPKG

hopjs

Version:

A RESTful declarative API framework, with stub generators for Shell, and Android

github.com/celer/hopjs

celer/hopjs

89 lines (72 loc) 2.77 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
var express= require('express'); var path = require('path'); var https = require('https'); var http = require('http'); var fs = require('fs'); var os = require('os'); var Hop = require("./../../index"); /* Set up our certificates */ var httpsOptions = { key: fs.readFileSync('key.pem'), cert: fs.readFileSync('cert.pem'), } /* This is express boiler plate, see http://expressjs.com/guide.html */ var app = express(); app.configure(function(){ app.set('port', process.env.PORT || 3000); app.set('views', __dirname + '/views'); app.set('view engine', 'jade'); app.use(express.urlencoded()); app.use(express.json()); app.use(express.methodOverride()); app.use(express.cookieParser('your secret here')); app.use(express.session()); /* This will tell express to use it's csrf protection: ( http://en.wikipedia.org/wiki/Cross-site_request_forgery ) */ app.use(express.csrf()); app.use(app.router); app.use(express.static(path.join(__dirname, 'public'))); }); app.engine("jade",require('jade').__express); app.get("/",function(req,res){ res.render("index",{ Hop:Hop, _csrf: req.session._csrf, hostname: os.hostname() }); }); SecureService={ csrf: function(input,onComplete,req){ return onComplete(null,true); }, secureCall: function(input,onComplete,req){ return onComplete(null,input); }, insecureCall: function(input,onComplete,req){ return onComplete(null,input); } } Hop.defineClass("SecureService",SecureService,function(api){ /* We will use this call to get the csrf token for the test scripts - this is generally a really bad idea and defeats the purpose express's CSRF protection In a production application a better solution would be to use CSRF protection for all posts and then use an express middleware wrapper to allow the authentication call to be called without a CSRF token and have it return the token so scripting tools may use the CSRF token */ api.get("csrf","/csrf").sendCSRFToken(); /* This call will only work over HTTPS */ api.post("secureCall","/secure").demand("username").demand("password").sendCSRFToken().secure(); api.post("insecureCall","/insecure").demand("username").demand("password").sendCSRFToken(); }); Hop.defineTestCase("SecureService.secureCall",function(test){ test.do("SecureService.csrf").with({}).noError(); test.do("SecureService.secureCall").with({ username: "bob", password:"foo"}).errorContains("Permission denied"); }); Hop.defineTestCase("SecureService.insecureCall",function(test){ test.do("SecureService.csrf").with({}).noError(); test.do("SecureService.insecureCall").with({ username: "bob", password:"foo"}).inputSameAsOutput();; }); Hop.apiHook("/api/",app); http.createServer(app).listen(3000); https.createServer(httpsOptions,app).listen(3443);