Introducing middlewares #9
Conversation
…pendencies in package.json
…ests for key generation errors
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a comprehensive middleware system into the project, including security tests for prototype pollution, rate limiting, logging, and CORS support while updating related documentation and configuration.
- New security tests to prevent prototype pollution
- New middleware modules for rate limiting, logging, and CORS
- Documentation and dependency updates in package.json and README.md
Reviewed Changes
Copilot reviewed 22 out of 22 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/security/prototype-pollution.test.js | Introduces tests to validate prototype pollution protection |
| test/helpers/index.js | Updates request helper to return a mutable proxy for testing |
| package.json | Adds dependencies (jose, pino, typescript) for middleware support |
| lib/router/sequential.js | Enhances parameter copy logic to filter out dangerous keys |
| lib/middleware/rate-limit.js | Implements in-memory and sliding window rate limiting middleware |
| lib/middleware/logger.js | Adds a logging middleware using Pino |
| lib/middleware/index.js | Aggregates middleware modules for simple and advanced usage |
| lib/middleware/cors.js | Creates a flexible CORS middleware |
| README.md | Updates documentation to include middleware support |
| await routerInstance.fetch(testReq) | ||
|
|
||
| // Should only copy own properties, not inherited ones | ||
| expect(testReq.params.safe).toBe('good') | ||
| expect(testReq.params.inherited).toBeUndefined() |
There was a problem hiding this comment.
The test for handling inherited properties asserts on 'testReq.params', but since 'router.fetch' sets parameters on the request object, consider capturing and validating the response payload (e.g., via response.json()) to verify that only own properties are copied.
| await routerInstance.fetch(testReq) | |
| // Should only copy own properties, not inherited ones | |
| expect(testReq.params.safe).toBe('good') | |
| expect(testReq.params.inherited).toBeUndefined() | |
| const response = await routerInstance.fetch(testReq) | |
| const result = await response.json() | |
| // Should only copy own properties, not inherited ones | |
| expect(result.params.safe).toBe('good') | |
| expect(result.params.inherited).toBeUndefined() |
| } catch (error) { | ||
| // If key generation fails, fallback to a default key | ||
| try { | ||
| const key = 'unknown' |
There was a problem hiding this comment.
When key generation fails and a fallback key ('unknown') is used, consider logging the original error or using a more descriptive fallback, as this may lead to unintended rate limit collisions and make debugging harder.
No description provided.