Environment-Aware Configuration

As applications are developed, tested, staged, and deployed, they naturally progress through a series of corresponding environments, each requiring its own unique set of configuration rules. For example, consider Figure 8-1, which illustrates the process by which an application moves through a continuous integration and delivery deployment pipeline.

As the application in Figure 8-1 progresses through each environment, the settings that tell it how to connect to the various external services on which it relies must change accordingly. Kraken’s confit library provides developers with a standard convention for accomplishing this goal by offering a simple, environment-aware configuration layer for Node applications.

Confit operates by loading a default JSON configuration file (typically named config.json). Confit then attempts to load an additional configuration file based on the value of the NODE_ENV environment variable. If an environment-specific configuration file is found, any settings it specifies are recursively merged with those defined within the default configuration.

Before continuing, notice that our project’s default configuration file provides connection settings for an e-mail server under the email property, while neither of the project’s environment-specific configuration files provides such information. In contrast, the default configuration provides connection settings for a Redis cache server under the nested cache:redis property, while both of the environment-specific configurations provide overriding information for this property.

Notice also that the default configuration file includes a comment above the email property. Comments, which are not part of the JSON specification, would normally result in an error being thrown if we attempted to use Node’s require() method to parse the contents of this file. Confit, however, will strip out such comments before attempting to parse the file, allowing us to embed comments within our configuration as needed.

As you can see in Listing 8-3, confit compiled our project’s configuration object by merging the contents of the config/development.json environment configuration file with the default config/config.json file, giving priority to any settings specified in development.json. As a result, our configuration object inherited the email settings that only exist in config.json, along with the cache and database settings defined within the configuration file for the development environment. In Listing 8-1, these settings are accessed through the use of the configuration object’s get() method .

Configuration-Based Middleware Registration

Express processes incoming HTTP requests by pushing them through a series of configurable “middleware” functions, as shown in Figure 8-2.

This approach provides developers with a considerable degree of flexibility, allowing them to execute their own logic at any point during the request-response cycle. It also allows Express to maintain a relatively small footprint by delegating responsibility for performing nonessential tasks to third-party middleware modules. But as flexible as this approach is, it can also prove troublesome to manage as applications and the teams that develop them grow in size and complexity.

With the help of Kraken’s meddleware module , all aspects of third-party middleware management within this application have been moved from code to standardized configuration files. The result is an application that is not only more organized but also easier to understand and modify.

Structured Route Registration

In the previous section, you learned how Kraken’s meddleware module can simplify middleware function registration by moving the logic required for loading and configuring those functions into standardized JSON configuration files. In much the same way, Kraken’s enrouten module applies the same concept to bring structure where there often is none to be found—Express routes.

Simple Express applications with a small number of routes can often make do with a single module in which every available route is defined. However, as applications gradually grow in depth and complexity, such an organizational structure (or lack thereof) can quickly become unwieldy. Enrouten solves this problem by providing three approaches with which Express routes can be defined in a consistent, structured fashion.

Directory Configuration

Listing 8-15 demonstrates the use of enrouten’s directory configuration option . When set, enrouten will recursively scan the contents of the specified folder, searching for modules that export a function accepting a single argument. For each module it finds, enrouten will pass an Express Router instance that has been mounted to a path predetermined by that module’s location within the directory structure—a “convention over configuration” approach.

// enrouten-directory/config/config.json

{

    "middleware": {

        "enrouten": {

            "enabled": true,

            "priority": 10,

            "module": {

                "name": "express-enrouten",

                "arguments": [{ "directory": "path:../routes" }]

            }

        }

    }

}

Listing 8-15

Setting Enrouten’s directory Configuration Option

Figure 8-3 shows the structure of this project’s /routes folder, while Listing 8-16 shows the contents of the /routes/api/v1/accounts/index.js module. Based on this module’s location within the /routes folder, the URLs for each route that it defines will be prefixed with /api/v1/accounts.

// enrouten-directory/routes/api/v1/accounts/index.js

var _ = require('lodash');

var path = require('path');

module.exports = function(router) {

    var accounts = require(path.join(APPROOT, 'models', 'accounts'));

    /**

     * @route /api/v1/accounts

     */

    router.route('/')

        .get(function(req, res, next) {

            res.send(accounts);

        });

    /**

     * @route /api/v1/accounts/:account_id

     */

    router.route('/:account_id')

        .get(function(req, res, next) {

        var account = _.findWhere(accounts, {

            'id': parseInt(req.params.account_id, 10)

        });

        if (!account) return next(new Error('Account not found'));

            res.send(account);

        });

};

Listing 8-16

The /api/v1/accounts Controller

Dust Templates

Many popular JavaScript template engines (e.g., Mustache and Handlebars) tout themselves as being “logic-less”—an attribute that describes their ability to help developers maintain a clear separation of concerns between an application’s business logic and its presentation layer. When properly maintained, this separation makes it possible for significant changes to occur within the interface that users are presented with while requiring minimal (if any) accompanying changes behind the scenes (and vice versa).

Logic-less template engines attempt to prevent developers from creating spaghetti code by banning the use of logic within an application’s views. Such templates are typically capable of referencing values within a provided payload of information, iterating through arrays, and toggling specific portions of their content on and off based on simple boolean logic.

Unfortunately, this rather heavy-handed approach often brings about the very problems it hoped to prevent, albeit in an unexpected way. Although logic-less template engines such as Handlebars prevent the use of logic within templates themselves, they do not negate the need for that logic to exist in the first place. The logic required for preparing data for template use must exist somewhere, and more often than not, the use of logic-less template engines results in presentation-related logic spilling over into the business layer.

Dust, which is the JavaScript template engine favored by Kraken, seeks to solve this problem by taking an approach that is better thought of as “less-logic” rather than strictly “logic-less.” By allowing developers to embed slightly more advanced logic within their templates in the form of “helpers,” Dust allows presentation logic to remain where it belongs, in the presentation layer, rather than the business layer.

Let’s Get Kraken

In this book’s first section on development tools, we covered four useful utilities that help manage many of the tasks associated with web development—among them: Bower, Grunt, and Yeoman. Kraken relies on each of these tools, along with a Yeoman generator that will assist us in building out the initial structure of our project. If you have not already done so, you should install these modules globally via npm, as shown here:

$ npm install -g yo generator-kraken bower grunt-cli

Creating a new Kraken project with Yeoman is an interactive process. In this example, we pass the generator a name for our new project (app), at which point it begins to prompt us with questions. Figure 8-4 shows the steps that were taken to create this chapter’s app project.

Once you have answered these questions, the generator will create the project’s initial file structure and begin installing the necessary dependencies. Afterward, you should find a new app folder containing the contents of the project, which should resemble that shown in Figure 8-5.

Kraken’s Yeoman generator has automated the process of creating a new Express application that is organized using modules that were previously covered in this chapter. We can immediately launch the project in its current state as shown in Listing 8-47. Afterward, the project can be accessed at a local address (see Figure 8-6).

$ npm start

> [email protected] start /Users/tim/temp/app

> node server.js

Server listening on http://localhost:8000

Application ready to serve requests.

Environment: development

Listing 8-47

Launching the Project for the First Time

As you can see, our project has been preconfigured (with the help of confit and meddleware) to use a number of helpful middleware modules (e.g., cookieParser, session, etc.). For some additional insight into how all of this comes together, Listing 8-48 shows the contents of the project’s index.js script.

// app/index.js

var express = require('express');

var kraken = require('kraken-js');

var options, app;

/*

 * Create and configure application. Also exports application instance for use by tests.

 * See https://github.com/krakenjs/kraken-js#options for additional configuration options.

 */

options = {

    onconfig: function (config, next) {

        /*

         * Add any additional config setup or overrides here. `config` is an initialized

         * `confit` (https://github.com/krakenjs/confit/) configuration object.

         */

        next(null, config);

    }

};

app = module.exports = express();

app.use(kraken(options));

app.on('start', function () {

    console.log('Application ready to serve requests.');

    console.log('Environment: %s', app.kraken.get('env:env'));

});

Listing 8-48

Contents of Our New Project’s index.js Script

The kraken-js module , which we see here, is nothing more than a standard Express middleware library. However, instead of simply augmenting Express with some small bit of additional functionality, Kraken takes responsibility for configuring a complete Express application. It will do so with the help of many other modules, including those that have already been covered in this chapter: confit, meddleware, enrouten, and adaro.

As shown in Listing 8-48, Kraken is passed a configuration object containing an onconfig() callback function, which will be called after Kraken has taken care of initializing confit for us. Here we can provide any last-minute overrides that we may not want to define directly within the project’s JSON configuration files. In this example, no such overrides are made.

Controllers, Models, and Tests

In this chapter’s “Structured Route Registration” section, we discovered how enrouten can help bring order to the often haphazard manner in which Express routes are defined. By default, a new Kraken project is set up to use enrouten’s directory configuration option, allowing it to recursively scan the contents of a specified folder, searching for modules that export a function accepting a single argument (i.e., router). For each module it finds (referred to as a “controller”), enrouten will pass an Express Router instance that has been mounted to a path predetermined by that module’s location within the directory structure. We can see this process in action by looking at the default controller that Kraken has created for our project, shown in Listing 8-49.

// app/controllers/index.js

var IndexModel = require('../models/index');

module.exports = function (router) {

    var model = new IndexModel();

    /**

     * The default route served for us when we access the app at: http://localhost:8000

     */

    router.get('/', function (req, res) {

        res.render('index', model);

    });

};

Listing 8-49

Our Project’s Default Controller

In addition to creating a default controller for our project, Kraken has also taken care of creating a corresponding model, IndexModel, which you can see referenced in Listing 8-49. We will discuss Kraken’s relationship with models shortly, but first, let’s walk through the process of creating a new controller of our own.

Chapter 2, which covered Yeoman, demonstrated that generators have the ability to provide subcommands capable of providing developers with functionality whose usefulness extends well beyond the initial creation of a project. Kraken’s Yeoman generator takes advantage of this by providing a controller subcommand, with which new controllers can quickly be created. By way of an example, let’s create a new controller that will be responsible for managing a collection of RSS feeds:

$ yo kraken:controller feeds

After specifying our desired path, feeds, to the generator’s controller subcommand, five new files are automatically created for us:

• controllers/feeds.js: Controller

• models/feeds.js: Model

• test/feeds.js: Test suite

• public/templates/feeds.dust: Dust template

• locales/US/en/feeds.properties: Internationalization settings

For the moment, let’s place our focus on the first three files listed here, starting with the model. We’ll take a look at the accompanying Dust template and internalization settings file in the next section.

The Model

Listing 8-50 shows the initial state of our project’s new feeds model. If you were expecting something sophisticated, you will likely be disappointed. As you can see, this file serves as little more than a generic stub that we are expected to replace with our own persistence layer.

// models/feeds.js

module.exports = function FeedsModel() {

    return {

        name: 'feeds'

    };

};

Listing 8-50

Initial Contents of the feeds Model

Unlike many other “full-stack” frameworks that attempt to provide developers with tools that address every conceivable need (including data persistence), Kraken takes a minimalistic approach that does not attempt to reinvent the wheel. This approach recognizes that developers already have access to a wide variety of well-supported libraries for managing data persistence, two of which are covered by this book: Knex/Bookshelf and Mongoose.

By way of an example, let’s update this module so that it exports a Bookshelf model capable of fetching and storing information within a feeds table stored in a SQLite database. Listing 8-51 shows the updated contents of the feeds model.

// models/feeds.js

var bookshelf = require('../lib/bookshelf');

var Promise = require('bluebird');

var feedRead = require('feed-read');

var Feed = bookshelf.Model.extend({

    'tableName': 'feeds',

    'getArticles': function() {

        var self = this;

        return Promise.fromNode(function(callback) {

            feedRead(self.get('url'), callback);

        });

    }

});

module.exports = Feed;

Listing 8-51

Updated feeds Model That Uses Knex/Bookshelf

Note

The updated model shown in Listing 8-51 assumes that you are already familiar with the Knex and Bookshelf libraries, along with the steps necessary to configure them. If that is not the case, you may want to read Chapter 10. Regardless, this chapter’s app project provides a fully functioning demonstration of the code shown here.

The Controller

Listing 8-52 shows the initial contents of our project’s new feeds controller. As with the original controller that accompanied our project, this controller references a corresponding model that Kraken has conveniently created for us, which we have already seen.

// controllers/feeds.js

var FeedsModel = require('../models/feeds');

/**

 * @url http://localhost:8000/feeds

 */

module.exports = function (router) {

    var model = new FeedsModel();

    router.get('/', function (req, res) {

    });

};

Listing 8-52

Initial Contents of the feeds Controller

In its default state, the feeds controller accomplishes very little. Let’s update this controller to include a few additional routes that will allow clients to interact with our application’s Feed model. The updated version of the feeds controller is shown in Listing 8-53.

var Feed = require('../models/feeds');

module.exports = function(router) {

    router.param('feed_id', function(req, res, next, id) {

        Feed.where({

            'id': id

        }).fetch({

            'require': true

        }).then(function(feed) {

            req.feed = feed;

            next();

        }).catch(next);

    });

    /**

     * @url http://localhost:8000/feeds

     */

    router.route('/')

        .get(function(req, res, next) {

            return Feed.where({})

                .fetchAll()

                .then(function(feeds) {

                    if (req.accepts('html')) {

                        return res.render('feeds', {

                            'feeds': feeds.toJSON()

                        });

                    } else if (req.accepts('json')) {

                        return res.send(feeds);

                    } else {

                        throw new Error('Unknown `Accept` value: ' + req.headers.accept);

                    }

                })

                .catch(next);

        });

    /**

     * @url http://localhost:8000/feeds/:feed_id

     */

    router.route('/:feed_id')

        .get(function(req, res, next) {

            res.send(req.feed);

        });

    /**

     * @url http://localhost:8000/feeds/:feed_id/articles

     */

    router.route('/:feed_id/articles')

        .get(function(req, res, next) {

            req.feed.getArticles()

                .then(function(articles) {

                    res.send(articles);

                })

                .catch(next);

        });

};

Listing 8-53

Updated feeds Controller

With these updates in place, clients now have the ability to

• List feeds

• Fetch information regarding a specific feed

• Fetch articles from a specific feed

In the next section, we will take a look at the test suite that Kraken has created for this portion of our application. With this test suite, we can verify that the routes we have defined work as expected.

The Test Suite

Listing 8-54 shows the initial contents of the test suite that Kraken has created for our new controller. Here we see a single test, which is defined with the help of SuperTest, which is an extension of SuperAgent, a simple library for making HTTP requests.

// test/feeds.js

var kraken = require('kraken-js');

var express = require('express');

var request = require('supertest');

describe('/feeds', function() {

    var app, mock;

    beforeEach(function(done) {

        app = express();

        app.on('start', done);

        app.use(kraken({

            'basedir': process.cwd()

        }));

        mock = app.listen(1337);

    });

    afterEach(function (done) {

        mock.close(done);

    });

    it('should say "hello"', function(done) {

        request(mock)

            .get('/feeds')

            .expect(200)

            .expect('Content-Type', /html/)

            .expect(/"name": "index"/)

            .end(function (err, res) {

                done(err);

            });

    });

});

Listing 8-54

Test Suite for the feeds Controller

In this example, a GET request is made to our application’s /feeds endpoint, and the following assertions are made:

• The server should respond with an HTTP status code of 200.

• The server should respond with a Content-Type header containing the string html.

• The body of the response should contain the string "name": "index".

Given the recent updates that we have made to our new controller, these assertions no longer apply. Let’s replace them with a few tests that are relevant. Listing 8-55 shows the updated contents of the test suite.

// test/feeds/index.js

var assert = require('assert');

var kraken = require('kraken-js');

var express = require('express');

var request = require('supertest');

describe('/feeds', function() {

    var app, mock;

    beforeEach(function(done) {

        app = express();

        app.on('start', done);

        app.use(kraken({'basedir': process.cwd()}));

        mock = app.listen(1337);

    });

    afterEach(function(done) {

        mock.close(done);

    });

    it('should return a collection of feeds', function(done) {

        request(mock)

            .get('/feeds')

            .expect('Content-Type', /json/)

            .expect(200)

            .end(function(err, res) {

                if (err) return done(err);

                assert(res.body instanceof Array, 'Expected an array');

                done();

            });

    });

    it('should return a single feed', function(done) {

        request(mock)

            .get('/feeds/1')

            .expect('Content-Type', /json/)

            .expect(200)

            .end(function(err, res) {

                if (err) return done(err);

                assert.equal(typeof res.body.id, 'number',

                    'Expected a numeric `id` property');

                done();

            });

    });

    it('should return articles for a specific feed', function(done) {

        request(mock)

            .get('/feeds/1/articles')

            .expect('Content-Type', /json/)

            .expect(200)

            .end(function(err, res) {

                if (err) return done(err);

                assert(res.body instanceof Array, 'Expected an array');

                done();

            });

    });

});

Listing 8-55

Updated Contents of the feeds Test Suite

Our updated test suite now contains three tests designed to verify that each of our new controller’s routes are functioning correctly. Consider the first test, for instance, which will make a GET request to our application’s /feeds endpoint and make the following assertions:

• The server should respond with an HTTP status code of 200.

• The server should respond with a Content-Type header containing the string json.

• The server should return one or more results in the form of an array.

Note

Recall that our application’s Feed model was created with the help of the Knex and Bookshelf libraries. The data that you see referenced in this project originates from a Knex “seed” file (seeds/developments/00-feeds.js) with which we can populate our database with sample data. At any point, this project’s SQLite database can be reset to its initial state by running $ grunt reset-db from the command line. If these concepts are unfamiliar to you, you may want to read Chapter 10.

Figure 8-7 shows the output that is printed to the console when our project’s test Grunt task is called.

Internationalization and Localization

Kraken provides built-in support for creating applications that are capable of adapting themselves to meet the unique needs of multiple languages and regions, an important requirement for most products that hope to see widespread use across multiple, diverse markets. In this section we’ll take a look at the two steps by which this is accomplished, internationalization and localization, and how they can be applied within the context of a Kraken application whose templates are generated on the server.

Internationalization (frequently shortened to i18n) refers to the act of developing applications that are capable of supporting multiple regions and dialects. In practice, this is accomplished by avoiding the direct use of locale-specific words, phrases, and symbols (e.g., currency symbols) within an application’s templates. Placeholders are instead used, which are later populated at the moment a template is requested, based on the location or settings of the user who is making the request. By way of an example, consider the Dust template that is shown in Listing 8-56, which is responsible for rendering the home page of this chapter’s app project.

// app/public/templates/index.dust

{>"layouts/master" /}

{<body}

    <div class="panel panel-default">

        <div class="panel-heading">

            <h3 class="panel-title">{@pre type="content" key="greeting" /}</h3>

        </div>

        <div class="panel-body">

            <form method="post" action="/sessions">

                <div class="form-group">

                    <label>{@pre type="content" key="email_address" /}</label>

                    <input type="email" name="email" class="form-control">

                </div>

                <div class="form-group">

                    <label>{@pre type="content" key="password" /}</label>

                    <input type="password" name="password" class="form-control">

                </div>

                <button type="submit" class="btn btn-primary">

                    {@pre type="content" key="submit" /}

                </button>

            </form>

        </div>

    </div>

{/body}

Listing 8-56

Dust Template for the Home Page of app Project

The basic semantics at work here should be familiar, based on material that was previously covered in this chapter’s section on Dust. As you can see, instead of directly embedding content, this template relies on a special Dust helper provided by Kraken, @pre, with which we can reference content that is stored in separate, locale-specific content files. The corresponding content files for this particular template are shown in Listing 8-57.

// app/locales/US/en/index.properties

# Comments are supported

greeting=Welcome to Feed Reader

submit=Submit

email_address=Email Address

password=Password

// app/locales/ES/es/index.properties

greeting=Bienvenida al Feed Reader

submit=Presentar

email_address=Correo Electrónico

password=Contraseña

Listing 8-57

Corresponding Content Files for the Dust Template Shown in Listing 8-56

Note

Take note of the location of this example’s template, public/templates/index.dust, and the location of its corresponding content property files, locales/US/en/index.properties and locales/ES/es/index.properties. Kraken is configured to pair Dust templates with content property files such as these on a one-to-one basis, by matching them based on their paths and file names.

In contrast to internationalization (i18n), which is primarily concerned with the creation of applications that are capable of supporting the injection of localized content, localization (l10n) refers to the process by which locale- and dialect-specific content files, such as those shown in this example, are created. The controller shown in Listing 8-58 demonstrates how Kraken helps developers bring these concepts together to provide users with content that is tailored to meet their specific needs.

// app/controllers/index.js

module.exports = function (router) {

    /**

     * The default route served for us when we access the app

     * at http://localhost:8000

     */

    router.get('/', function (req, res) {

        res.locals.context = { 'locality': { 'language': 'es', 'country': 'ES' } };

        res.render('index');

    });

};

Listing 8-58

Serving a Locale-Specific Version of the Home Page

This example is an updated version of the controller that we originally saw in Listing 8-49, which is responsible for rendering our application’s home page. Here we specify the country and language to be used for locating content files by assigning them to the locals.context property of the incoming Express response object. If no such value is specified, Kraken’s default behavior is to use US English. The English and Spanish versions of the rendered template are shown in Figure 8-8 and Figure 8-9, respectively.

Detecting Locality

The example shown in Listing 8-58 demonstrates the process by which specific regional settings can be manually assigned to an incoming request. What it does not demonstrate, however, is the process by which a user’s desired localization settings can be automatically detected.

Listing 8-59 demonstrates a simple method for determining locality based on the value of the accept-language HTTP request header. In this example, we have removed the logic for determining a user’s locality from our route and placed it in a more appropriate location—a middleware function that will be called for every incoming request.

// app/lib/middleware/locale.js

var acceptLanguage = require('accept-language');

/**

 * Express middleware function that automatically determines locality based on the value

 * of the `accept-language` header.

 */

module.exports = function() {

    return function(req, res, next) {

        var locale = acceptLanguage.parse(req.headers['accept-language']);

        res.locals.context = {

            'locality': { 'language': locale[0].language, 'country': locale[0].region }

        };

        next();

    };

};

// app/config/config.json (excerpt)

"middleware":{

    "locale": {

        "module": {

         "name": "path:./lib/middleware/locale"

        },

        "enabled": true

    }

}

Listing 8-59

Detecting Locality Based on the Value of the accept-language HTTP Request Header

Note

While helpful, the accept-language HTTP request header does not always reflect the desired localization settings of the user making the request. Always be sure to provide users with a method for manually specifying such settings on their own (e.g., as part of a “Settings” page).

Security

Given Kraken’s origins at PayPal, a worldwide online payments processor, it should come as no surprise that the framework focuses heavily on security. Kraken does so with the help of Lusca, a library that extends Express with a number of enhanced security techniques, as suggested by the Open Web Application Security Project (OWASP). These extensions are provided in the form of multiple, independently configurable middleware modules. In this section, we will briefly examine two ways in which Kraken can help secure Express against commonly encountered attacks.

Note

This material should by no means be considered exhaustive. It is merely intended to serve as a starting point for implementing security within the context of a Kraken/Express application. Readers with a hand in implementing security on the Web are highly encouraged to delve further into this topic by reading a few of the many great books that are devoted entirely to this subject.

Defending Against Cross-Site Request Forgery Attacks

To understand the basic premise behind cross-site request forgery (CSRF) attacks, it is important to understand the method by which most web applications authenticate their users: cookie-based authentication. This process is illustrated in Figure 8-10.

In a typical scenario, a user will submit their credentials to a web application, which will then compare them with those it has on file. Assuming the credentials are valid, the server will then create a new session—essentially, a record representing the user’s successful sign-in attempt. A unique identifier belonging to this session is then transmitted to the user in the form of a cookie, which is automatically stored by the user’s browser. Subsequent requests to the application made by the browser will automatically attach the information stored in this cookie, allowing the application to look up the matching session record. As a result, the application has the ability to verify the user’s identity without requiring the user to resubmit their username and password along with every request.

A CSRF attack takes advantage of the trusted relationship (i.e., session) that exists between an application and a user’s browser, by tricking that user into submitting an unintended request to the application. Let’s take a look at an example that should help explain how this works. Figure 8-11 illustrates the process by which a user signs into a trusted application—in this case, the csrf-server project that is included with this chapter’s source code.

Figure 8-12 shows the welcome screen that the user is presented with after successfully signing into the application. Here we see some basic information about the user, including their name and when their account was created.

At this point, imagine a scenario in which the user leaves the application (without signing out) and visits another site, which, unbeknownst to the user, has malicious intent (see Figure 8-13). A copy of this malicious site can be found in this chapter’s csrf-attack project. In this example, the malicious site lures the user into clicking a button with the tempting promise of free candy and butterflies.

Listing 8-60 shows an excerpt from the HTML for this malicious site, which should help explain what is going to happen when the user clicks this button. As you can see, clicking the button will trigger the creation of a POST request to the original application’s /transfer-funds route.

// csrf-attack/views/index.dust (excerpt)

<form method="post" action="http://localhost:7000/transfer-funds">

    <button type="submit" class="btn btn-primary">

        Click Here for Free Candy and Butterflies

    </button>

</form>

Listing 8-60

Malicious Web Form

After clicking the button, instead of receiving the free candy and butterflies that they were promised, the user is greeted with a message indicating that all of the funds have been transferred out of their account, as shown in Figure 8-14.

Several different steps can be taken to defend against attacks of this nature. The method by which Kraken defends against them is referred to as the “synchronizer token pattern.” In this approach, a random string is generated for each incoming request, which the client can subsequently access as part of a template’s context or via a response header. Importantly, this string is not stored as a cookie. The next POST, PUT, PATCH, or DELETE request made by the client must include this string, which the server will then compare with the one it previously generated. The request will only be allowed to proceed if a match is made.

Let’s take a look at how this works in practice. Figure 8-15 shows the sign-in page for this chapter’s app project. Refer back to Listing 8-56 to see the underlying HTML for this page.

In its current state, any attempt to sign in using this form will result in the error shown in Figure 8-16. Here we see an error message from Kraken warning us of a missing “CSRF token.”

This error can be resolved with the addition of a single, hidden input to our application’s login form. Listing 8-61 shows an excerpt from our application’s updated Dust template, along with an excerpt from the rendered output.

// app/public/templates/index.dust (excerpt)

<form method="post" action="/sessions">

    <input type="hidden" name="_csrf" value="{_csrf}">

    <!-- ... ->

</form>

// Rendered output

<form method="post" action="/sessions">

    <input type="hidden" name="_csrf" value="OERRGi9AGNPEYnNWj8skkfL9f0JIWJp3uKK8g=">

    <!-- ... ->

</form>

Listing 8-61

Inserting a Hidden _csrf Field into the Sign-In Form

Here we create a hidden input with the name _csrf, the value for which Lusca has automatically passed to our template’s context under a property with the same name. The value that we see rendered in this example, OERRGi9AGNPEYnNWj8skkfL9f0JIWJp3uKK8g=, is a random hash that Lusca has generated for us (i.e., the “synchronizer token”). When we submit this form, Lusca will verify that this value matches the one it previously gave us. If they match, the request is allowed to proceed. Otherwise, an error is thrown. This approach allows applications to defend against CSRF attacks by requiring additional, identifying information that is not stored as part of a cookie, making it much more difficult for attackers to trick users into performing unintended actions.

Configuring Content Security Policy Headers

Lusca provides developers with a convenient mechanism for configuring an application’s Content Security Policy (CSP ). These rules provide instructions to supporting browsers regarding the locations from which various resources (e.g., scripts, stylesheets, images, etc.) can be loaded. When defined, these rules are conveyed to browsers in the form of the Content-Security-Policy response header.

By way of an example, see Listing 8-62, in which Lusca’s csp middleware module is provided with a configuration object specifying that only images may be loaded from any domain. All other resources must originate from the application’s domain.

app.use(lusca({

    'csp': {

    'default-src': ''self",

    'img-src': '*'

    }

});

Listing 8-62

Configuring an Application’s Content Security Policy

Note

For a full list of the various options that can be configured via the Content-Security-Policy header, visit the Open Web Application Security Project (OWASP) at https://owasp.org .

Summary

The Node community is heavily influenced by the so-called “Unix philosophy,” which promotes (among other things) the creation of small, tightly focused modules that are designed to do one thing well. This approach has allowed Node to thrive as a development platform by fostering a large ecosystem of open source modules. PayPal has taken this philosophy to heart by structuring Kraken not as a single, monolithic framework, but rather as a collection of modules that extends and provides structure to Express-based applications. By taking this approach, PayPal has managed to contribute several modules to the Node ecosystem from which developers can benefit, regardless of whether they choose to use Kraken as a whole.

Related Resources