thenativeweb / forcedomain Goto Github PK
View Code? Open in Web Editor NEWforcedomain is a middleware for Connect and Express that redirects any request to a default domain.
License: MIT License
forcedomain is a middleware for Connect and Express that redirects any request to a default domain.
License: MIT License
can you update lodash to the latest version. The used version is vulnerability and need to be update as soon as possible
Great package! Just a small note that package might better be called 'force-domain' per the npm naming guidelines.
npm audit shows a Prototype Pollution vulnerability arising from the dependancy on lodash 4.17.15.
I'm trying to redirect all trafic in www
to NON-WWW hostname. Is there possible using forcedomain
?
I'm receiving 504 Gateway Time-out
always.
code:
if (process.env.NODE_ENV === "production") {
console.log("--- NODE_ENV: ", process.env.NODE_ENV);
app.use(req => {
console.log("-- what is the host? ", req.get("host"));
console.log( "-- what is the host replaced? ", req.get("host").replace("www.", ""));
return forceDomain({
hostname: req.get("host").replace("www.", ""),
protocol: "https"
});
});
}
output:
what is the : host? www.mysite-env.sa-east-1.elasticbeanstalk.com
what is the host replaced? misite-env.sa-east-1.elasticbeanstalk.com
It seems like this works for the root of the website but not for other urls., e.g.
https://risiko.online --> https://www.risiko.online
https://risiko.online/demo --> https://risiko.online/demo
Is this the expected behavior or am I doing something wrong?
Thanks!! :-)
Hello,
we are using your module, it is great.
But there is some small issue about dependency.
In this package is dependency (lodash) locked to specific version. Which means that there should not be used any other version.
For example after using your module it makes these dependecies:
[email protected], lodash@^4.0.0, lodash@^4.11.1, lodash@^4.17.10, lodash@^4.17.4, lodash@^4.17.5, lodash@^4.2.0, lodash@^4.3.0, lodash@~4.17.4
as you can see there are multiple differenent versions required. But all begins with caret symbol (^) can increase minor version. And there is one with tilde (~) so patch version can be increased.
But your module doesn't use any characted. So only lodash version 4.17.10 is used within whole app.
Currently it is not problem because lodash latest version is 4.17.10, but in future lodash can't be updated.
Similar to the exclusion for localhost
, it would be nice if 192.186.x.x
could be excluded as well. This is commonly used for testing on other devices on the same private network as the device that has the server running.
(some background in this SO comment)
When an incoming request doesn't have a port number in the Host
header, forcedomain
uses a value of undefined
to match against the port value passed in the options. This means that setting a port value of 80
in the options will cause redirect loops (because undefined !== 80
).
This behaviour is somewhat documented, but not very explicitly. I think that most users will assume that passing port : 80
works just like it does with any other port number.
FWIW, passing a string value as port number also yields unexpected behaviour (which was the reason for the abovementioned SO question being asked to begin with).
I use lvh.me
since my app has subdomain and I can't use localhost
, 127.0.0.1
, nor 192.168.x.x
for that. In my production and staging environment, this package works well on redirecting non-www to www.
Code:
app.use(forceDomain({ hostname: `www.${host}` }));
But in my dev environment, I am getting too many redirects error. For it to work on dev, I need to add port: 3001
and make sure to not commit it.
I am thinking that we can add another option like this:
forceDomain({ dev: process.env.NODE_ENV === 'development' });
Where dev
option is a boolean, that if it's a dev environment don't use forcedomain.
I think the condition can be added here:
https://github.com/thenativeweb/forcedomain/blob/master/lib/redirect.ts#L20
This way we can make use of process.env.NODE_ENV
variable for the value of dev
.
What do you think? I can work on this if it's welcome.
If not I will just create a condition on my app to use port if it's dev.
express <=4.17.2 || 5.0.0-alpha.1 - 5.0.0-alpha.8
Severity: high
qs vulnerable to Prototype Pollution - GHSA-hrpp-h998-j3pp
Depends on vulnerable versions of body-parser
Depends on vulnerable versions of qs
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/forcedomain/node_modules/express
forcedomain >=2.1.0
Depends on vulnerable versions of express
node_modules/forcedomain
qs 6.7.0 - 6.7.2
Severity: high
qs vulnerable to Prototype Pollution - GHSA-hrpp-h998-j3pp
fix available via npm audit fix --force
Will install [email protected], which is a breaking change
node_modules/forcedomain/node_modules/qs
body-parser 1.19.0
Depends on vulnerable versions of qs
node_modules/forcedomain/node_modules/body-parser
4 high severity vulnerabilities
So I'm using it as following and my site uses the following;
app.use(forceDomain({ hostname: 'www.mydomain.com' }));
The thing is that it tries to redirect to http version of the same url within https - this should be prevented.
I'm getting an infinite redirect loop - using cloudfront to force ssl. Anyone experienced this?
Hi,
I've just testest forcedomain, but I got an issue:
// forcedomain
app.use(force({
hostname : 'mywebsite.com'
}));
make a 307 redirect, for a 301 redirect, I needed to
app.use(force({
hostname : 'mywebsite.com',
type : 'permanent'
}));
Is that the default behavior ?
Do i need to add the port?
My app runs on port 8080 in development and port 80 in production.
I have a config variable I can use, but it includes http://example.com:8080 or http://example.com
Can I just use that
app.use(require('node-force-domain').redirect(cfg.site_url));
You fixed lodash last prototype pollution with this commit: 9c64412. Great! Could you please release it so we can ugrade forcedomain
version?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.