Blacklisting authentication middleware

Updating docs
avoidwork · Aug 19, 2014 · ac4a395 · ac4a395
1 parent dac3270
commit ac4a395
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 31 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,8 @@
 # Change Log
 
+## 0.4.3
+- Upgrading turtle.io to 3.0.13 & blacklisting all authentication middleware
+
 ## 0.4.2
 - Added lusca for security, enabling CSRF by default
 - Added grunt-nsp-package for module vulnerability scanning during `package` task

diff --git a/doc/global.html b/doc/global.html
@@ -1826,7 +1826,7 @@ <h5>Returns:</h5>
 
 		<span class="jsdoc-message">
 		Documentation generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.2.2</a>
-		on 2014-08-16T12:32:34-04:00 using the <a
+		on 2014-08-18T20:02:15-04:00 using the <a
 			href="https://github.com/terryweiss/docstrap">DocStrap template</a>.
 		</span>
 				</footer>

diff --git a/doc/index.html b/doc/index.html
@@ -317,7 +317,7 @@ <h2>Sessions</h2>
     }
 }</code></pre>
 <h2>Security</h2>
-<p>Tensō uses <a href="https://github.com/krakenjs/lusca">lusca</a> for security as a middleware. Please see it's documentation for how to configure it.</p>
+<p>Tensō uses <a href="https://github.com/krakenjs/lusca#api">lusca</a> for security as a middleware. Please see it's documentation for how to configure it; each method &amp; argument is a key:value pair for <code>security</code>.</p>
 <pre><code class="lang-javascript">{
     &quot;security&quot;: { ... }
 }</code></pre>
@@ -380,7 +380,7 @@ <h2>License</h2>
 
 		<span class="jsdoc-message">
 		Documentation generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.2.2</a>
-		on 2014-08-16T12:32:34-04:00 using the <a
+		on 2014-08-18T20:02:15-04:00 using the <a
 			href="https://github.com/terryweiss/docstrap">DocStrap template</a>.
 		</span>
 				</footer>

diff --git a/doc/module-tenso.html b/doc/module-tenso.html
@@ -125,7 +125,7 @@ <h2>
 	<dt class="tag-version">Version:</dt>
 	<dd class="tag-version">
 		<ul class="dummy">
-			<li>0.4.2</li>
+			<li>0.4.3</li>
 		</ul>
 	</dd>
 
@@ -218,7 +218,7 @@ <h2>
 
 		<span class="jsdoc-message">
 		Documentation generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.2.2</a>
-		on 2014-08-16T12:32:34-04:00 using the <a
+		on 2014-08-18T20:02:15-04:00 using the <a
 			href="https://github.com/terryweiss/docstrap">DocStrap template</a>.
 		</span>
 				</footer>

diff --git a/doc/modules.list.html b/doc/modules.list.html
@@ -188,7 +188,7 @@ <h2>
 
 		<span class="jsdoc-message">
 		Documentation generated by <a href="https://github.com/jsdoc3/jsdoc">JSDoc 3.2.2</a>
-		on 2014-08-16T12:32:34-04:00 using the <a
+		on 2014-08-18T20:02:15-04:00 using the <a
 			href="https://github.com/terryweiss/docstrap">DocStrap template</a>.
 		</span>
 				</footer>

diff --git a/lib/tenso.js b/lib/tenso.js
@@ -6,13 +6,13 @@
  * @license BSD-3 <https://raw.github.com/avoidwork/tenso/master/LICENSE>
  * @link http://avoidwork.github.io/tenso
  * @module tenso
- * @version 0.4.2
+ * @version 0.4.3
  */
 ( function () {
 "use strict";
 
 var turtleio = require( "turtle.io" ),
-    SERVER   = "tenso/0.4.2",
+    SERVER   = "tenso/0.4.3",
     CONFIG   = require( __dirname + "/../config.json" ),
     keigai   = require( "keigai" ),
     util     = keigai.util,
@@ -51,7 +51,7 @@ function Tenso () {
 	this.rates        = {};
 	this.server       = turtleio();
 	this.server.tenso = this;
-	this.version      = "0.4.2";
+	this.version      = "0.4.3";
 }
 
 /**
@@ -175,7 +175,7 @@ function auth ( obj, config ) {
 	var ssl   = config.ssl.cert && config.ssl.key,
 	    proto = "http" + ( ssl ? "s" : "" ),
 	    realm = proto + "://" + ( config.hostname === "localhost" ? "127.0.0.1" : config.hostname ) + ( config.port !== 80 && config.port !== 443 ? ":" + config.port : "" ),
-	    sesh;
+	    sesh, fnCookie, fnSesh, luscaCsrf, luscaCsp, luscaXframe, luscaP3p, luscaHsts, luscaXssProtection, protection;
 
 	config.auth.protect = ( config.auth.protect || [] ).map( function ( i ) {
 		return new RegExp( "^" + i !== "/login" ? i.replace( /\.\*/g, "*" ).replace( /\*/g, ".*" ) : "$", "i" );
@@ -192,35 +192,44 @@ function auth ( obj, config ) {
 			sesh.store = new RedisStore( config.session.redis );
 		}
 
-		obj.server.use( session( sesh ) );
-		obj.server.use( cookie() );
+		fnCookie = cookie();
+		fnSesh = session( sesh );
+		obj.server.use( fnSesh ).blacklist( fnSesh );
+		obj.server.use( fnCookie ).blacklist( fnCookie );
 
 		if ( config.security.csrf ) {
-			obj.server.use( lusca.csrf( {key: config.security.key} ) );
+			luscaCsrf = lusca.csrf( {key: config.security.key} );
+			obj.server.use( lusca.csrf( {key: config.security.key} ) ).blacklist( luscaCsrf );
 		}
 	}
 
 	if ( config.security.csp instanceof Object ) {
-		obj.server.use( lusca.csp( config.security.csp ) );
+		luscaCsp = lusca.csp( config.security.csp );
+		obj.server.use( luscaCsp ).blacklist( luscaCsp );
 	}
 
 	if ( !string.isEmpty( config.security.xframe ) ) {
-		obj.server.use( lusca.xframe( config.security.xframe ) );
+		luscaXframe = lusca.xframe( config.security.xframe );
+		obj.server.use( luscaXframe ).blacklist( luscaXframe );
 	}
 
 	if ( !string.isEmpty( config.security.p3p ) ) {
-		obj.server.use( lusca.p3p( config.security.p3p ) );
+		luscaP3p = lusca.p3p( config.security.p3p );
+		obj.server.use( luscaP3p ).blacklist( luscaP3p );
 	}
 
 	if ( config.security.hsts instanceof Object ) {
-		obj.server.use( lusca.hsts( config.security.hsts ) );
+		luscaHsts = lusca.hsts( config.security.hsts );
+		obj.server.use( luscaHsts ).blacklist( luscaHsts );
 	}
 
 	if ( config.security.xssProtection instanceof Object ) {
-		obj.server.use( lusca.xssProtection( config.security.xssProtection ) );
+		luscaXssProtection = lusca.xssProtection( config.security.xssProtection );
+		obj.server.use( luscaXssProtection ).blacklist( luscaXssProtection );
 	}
 
-	obj.server.use( zuul( config.auth.protect ) );
+	protection = zuul( config.auth.protect );
+	obj.server.use( protection ).blacklist( protection );
 
 	if ( config.auth.basic.enabled ) {
 		( function () {

diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "tenso",
   "description": "Tensō is a REST API facade for node.js, designed to simplify the implementation of APIs.",
-  "version": "0.4.2",
+  "version": "0.4.3",
   "homepage": "http://avoidwork.github.io/tenso",
   "author": {
     "name": "Jason Mulligan",
@@ -29,7 +29,7 @@
   },
   "dependencies": {
     "keigai": "0.6.1",
-    "turtle.io": "3.0.12",
+    "turtle.io": "3.0.13",
     "cookie-parser": "1.3.2",
     "express-session": "^1.7.2",
     "passport": "0.2.0",

diff --git a/src/auth.js b/src/auth.js
@@ -10,7 +10,7 @@ function auth ( obj, config ) {
 	var ssl   = config.ssl.cert && config.ssl.key,
 	    proto = "http" + ( ssl ? "s" : "" ),
 	    realm = proto + "://" + ( config.hostname === "localhost" ? "127.0.0.1" : config.hostname ) + ( config.port !== 80 && config.port !== 443 ? ":" + config.port : "" ),
-	    sesh;
+	    sesh, fnCookie, fnSesh, luscaCsrf, luscaCsp, luscaXframe, luscaP3p, luscaHsts, luscaXssProtection, protection;
 
 	config.auth.protect = ( config.auth.protect || [] ).map( function ( i ) {
 		return new RegExp( "^" + i !== "/login" ? i.replace( /\.\*/g, "*" ).replace( /\*/g, ".*" ) : "$", "i" );
@@ -27,35 +27,44 @@ function auth ( obj, config ) {
 			sesh.store = new RedisStore( config.session.redis );
 		}
 
-		obj.server.use( session( sesh ) );
-		obj.server.use( cookie() );
+		fnCookie = cookie();
+		fnSesh = session( sesh );
+		obj.server.use( fnSesh ).blacklist( fnSesh );
+		obj.server.use( fnCookie ).blacklist( fnCookie );
 
 		if ( config.security.csrf ) {
-			obj.server.use( lusca.csrf( {key: config.security.key} ) );
+			luscaCsrf = lusca.csrf( {key: config.security.key} );
+			obj.server.use( lusca.csrf( {key: config.security.key} ) ).blacklist( luscaCsrf );
 		}
 	}
 
 	if ( config.security.csp instanceof Object ) {
-		obj.server.use( lusca.csp( config.security.csp ) );
+		luscaCsp = lusca.csp( config.security.csp );
+		obj.server.use( luscaCsp ).blacklist( luscaCsp );
 	}
 
 	if ( !string.isEmpty( config.security.xframe ) ) {
-		obj.server.use( lusca.xframe( config.security.xframe ) );
+		luscaXframe = lusca.xframe( config.security.xframe );
+		obj.server.use( luscaXframe ).blacklist( luscaXframe );
 	}
 
 	if ( !string.isEmpty( config.security.p3p ) ) {
-		obj.server.use( lusca.p3p( config.security.p3p ) );
+		luscaP3p = lusca.p3p( config.security.p3p );
+		obj.server.use( luscaP3p ).blacklist( luscaP3p );
 	}
 
 	if ( config.security.hsts instanceof Object ) {
-		obj.server.use( lusca.hsts( config.security.hsts ) );
+		luscaHsts = lusca.hsts( config.security.hsts );
+		obj.server.use( luscaHsts ).blacklist( luscaHsts );
 	}
 
 	if ( config.security.xssProtection instanceof Object ) {
-		obj.server.use( lusca.xssProtection( config.security.xssProtection ) );
+		luscaXssProtection = lusca.xssProtection( config.security.xssProtection );
+		obj.server.use( luscaXssProtection ).blacklist( luscaXssProtection );
 	}
 
-	obj.server.use( zuul( config.auth.protect ) );
+	protection = zuul( config.auth.protect );
+	obj.server.use( protection ).blacklist( protection );
 
 	if ( config.auth.basic.enabled ) {
 		( function () {