Create permission library (#26)

- conf: move session config into http.yml
- permission: create,get,put,delete,destroy & tests, fixes #20
- chore(config): guard against prototype pollution

Author: msimerson

.npmignore

@@ -0,0 +1,16 @@
+.github
+.DS_Store
+.editorconfig
+.gitignore
+.gitmodules
+.lgtm.yml
+appveyor.yml
+codecov.yml
+.release
+.travis.yml
+.eslintrc.yaml
+.eslintrc.json
+.codeclimate.yml
+test/
+DEVELOP.md
+.prettierrc.yml

conf.d/http.yml

@@ -2,3 +2,33 @@
 default:
   host: localhost
   port: 3000
+  cookie:
+    # https://hapi.dev/module/cookie/api/?v=12.0.1
+    name: sid-nictool
+    password: af1b926a5e21f535c4f5b6c42941c4cf
+    ttl: 3600000   # 1 hour
+    # domain:
+    path: /
+    clearInvalid: true
+    isSameSite: Strict
+    isSecure: true
+    isHttpOnly: true
+  keepAlive: false
+  # redirectTo:
+  group: NicTool
+
+production:
+  port: 8080
+  cookie:
+    # Set your own secret password. hint: openssl rand -hex 16
+    # password:
+
+test:
+  cookie:
+    isSecure: false
+    password: ^NicTool.Is,The#Best_Dns-Manager$
+
+development:
+  cookie:
+    isSecure: false
+    password: ^NicTool.Is,The#Best_Dns-Manager$

conf.d/session.yml

@@ -48,6 +48,8 @@ class Config {
 
 function applyDefaults(cfg = {}, defaults = {}) {
   for (const d in defaults) {
+    /* c8 ignore next */
+    if (d === '__proto__' || d === 'constructor') continue
     if ([undefined, null].includes(cfg[d])) {
       cfg[d] = defaults[d]
     } else if (typeof cfg[d] === 'object' && typeof defaults[d] === 'object') {

lib/config.js

@@ -27,14 +27,9 @@ describe('config', () => {
       process.env.NODE_DEBUG = ''
     })
 
-    it(`loads session test config`, async () => {
-      const cfg = await Config.get('session', 'test')
-      assert.deepEqual(cfg, sessCfg)
-    })
-
-    it(`loads session test config syncronously`, () => {
-      const cfg = Config.getSync('session', 'test')
-      assert.deepEqual(cfg, sessCfg)
+    it(`loads http test config`, async () => {
+      const cfg = await Config.get('http', 'test')
+      assert.deepEqual(cfg, httpCfg)
     })
 
     it(`loads http test config syncronously`, () => {
@@ -68,7 +63,9 @@ const mysqlTestCfg = {
   decimalNumbers: true,
 }
 
-const sessCfg = {
+const httpCfg = {
+  host: 'localhost',
+  port: 3000,
   cookie: {
     clearInvalid: true,
     isHttpOnly: true,
@@ -80,9 +77,5 @@ const sessCfg = {
     ttl: 3600000,
   },
   keepAlive: false,
-}
-
-const httpCfg = {
-  host: 'localhost',
-  port: 3000,
+  group: 'NicTool',
 }

lib/config.test.js

@@ -73,6 +73,7 @@ class Mysql {
   }
 
   whereConditions(query, params) {
+    let newQuery = query
     let paramsArray = []
 
     if (Array.isArray(params)) {
@@ -81,13 +82,13 @@ class Mysql {
       // Object to WHERE conditions
       let first = true
       for (const p in params) {
-        if (!first) query += ' AND'
-        query += ` ${p}=?`
+        if (!first) newQuery += ' AND'
+        newQuery += ` ${p}=?`
         paramsArray.push(params[p])
         first = false
       }
     }
-    return [query, paramsArray]
+    return [newQuery, paramsArray]
   }
 
   async delete(query, params) {