Having it per-route usually works for me. This is what I typically do:

    function requireRole (role) {
        return function (req, res, next) {
            if (req.session.user &amp;&amp; req.session.user.role === role) {
                next();
            } else {
                res.send(403);
            }
        }
    }
    
    app.get(&quot;/foo&quot;, foo.index);
    app.get(&quot;/foo/:id&quot;, requireRole(&quot;user&quot;), foo.show);
    app.post(&quot;/foo&quot;, requireRole(&quot;admin&quot;), foo.create);

    // All bars are protected
    app.all(&quot;/foo/bar&quot;, requireRole(&quot;admin&quot;));

    // All paths starting with &quot;/foo/bar/&quot; are protected
    app.all(&quot;/foo/bar/*&quot;, requireRole(&quot;user&quot;));

You can use ability-js with everyauth, which is quite similar to CanCan for Rails https://github.com/scottkf/ability-js

Take a look at [this list][1] for NodeJS ACL/Permission systems. IMHO [OptimalBits node_acl][2] looks best.


  [1]: https://gist.github.com/facultymatt/6370903
  [2]: https://github.com/OptimalBits/node_acl

There is now Node module [permission][1] for this. It&#39;s very easy to use, very similar to accepted answer, but still some features are added.


  [1]: https://www.npmjs.com/package/permission

Microsoft has just announced that a software error in calculating dates (over leap year) [caused a major outage in Windows Azure][1] last week. 

Was it really a simple error in judgement working around `DateTime.Now.AddYears(1)` on a leap year?  

What coding practices could have prevented this? 

**EDIT**
As dcstraw pointed out `DateTime.Now.AddYears(1)` on a leap year does in fact return the correct date in .NET.  So it&#39;s not a framework bug, but evidently a bug in Date calculations.

  [1]: http://blogs.msdn.com/b/windowsazure/archive/2012/03/09/summary-of-windows-azure-service-disruption-on-feb-29th-2012.aspx

How can we develop coding practices designed to protect against leap year bugs?

I have a few static util methods in my project, some of them just pass or throw an exception. There are a lot of examples out there on how to mock a static method that has a return type other than void. But how can I mock a static method that returns void to just &quot;`doNothing()`&quot;?

The non-void version uses these lines of codes:

    @PrepareForTest(StaticResource.class)
...

    PowerMockito.mockStatic(StaticResource.class);

...

    Mockito.when(StaticResource.getResource(&quot;string&quot;)).thenReturn(&quot;string&quot;);


However if applied to a `StaticResources` that returns `void`, the compile will complain that `when(T)` is not applicable for void... 

Any ideas?

A workaround would probably be to just have all static methods return some `Boolean` for success but I dislike workarounds.

How do I mock a static method that returns void with PowerMock?

We have an application that has two types of users. Depending on how the user logs in, we want them to have access to different parts of the application.

How do we implement a security model for preventing users from seeing things they do not have access to?

Do we make security part of each routes implementation? The problem being that we will have some duplicate logic across requests. We could move this into helper functions, but we&#39;d still need to remember to call it.

Do we make security part of a global app.all() route handler? The problem being that we have to inspect each route and do different logic based on a multitude of rules. At least all the code is in one place,  but then... all the code is in one place.

Node.js + Express.js User Permission Security Model

We have an application that has two types of users. Depending on how the user logs in, we want them to have access to different parts of the application.
How do we implement a security model for preventing users from seeing things they do not have access to?
Do we make security part of each routes implementation? The problem being that we will have some duplicate logic across requests. We could move this into helper functions, but we'd still need to remember to call it.
Do we make security part of a global app.all() route handler? The problem being that we have to inspect each route and do different logic based on a multitude of rules. At least all the code is in one place, but then... all the code is in one place.

I have recently watched  [this][1] video of a Finnish internet security expert. Somewhere around eleventh minute, he talks about a virus which is hidden in an image and executes when the image is about to be displayed.

I am wondering how do they technically do such a thing, I mean how come the **virus** is **executed**, when the picture should be **displayed** and how come the picture is not compromised in some way. I thought the computer first looks at the extension, then opens it with appropriate program and lets the program work itself (and I don&#39;t expect regular image viewer to be able to run a virus within itself). Obviously it doesn&#39;t work like that, but no one I asked could help me out with this.

So does anyone know how do they do this, the principle? Thank you very much.

  [1]: http://www.ted.com/talks/mikko_hypponen_fighting_viruses_defending_the_net.html

How can a virus exist in an image?

I am developing a JSON/REST web API, for which I specifically want third party websites to be able to call my service through AJAX. Hence, my service is sending the famous CORS header:

    Access-Control-Allow-Origin: *

Which allows third party sites to call my service through AJAX. All fine so far.

However, a subsection of my web api is non-public and requires authentication (pretty standard stuff with OAuth and an access_token cookie). Is it safe to enable CORS on this part of my site as well?

On the one hand, it would be cool if third party websites could have ajax clients that also interact with this part of my service. However, the reason that there is a same origin policy in the first place, is that this might be risky. You don&#39;t want any website that you visit afterwards to be able to access your private content. 

The scenario that I am afraid of is that a user logs in on my web api, either on the website or through a website that he trusts, and he forgets to logout. Will this allow every other website that he vists afterwards to access his private content using the existing session?

So my questions:

 * Is it ever safe to enable CORS on non-public content?
 * If a CORS enabled server sets a session_token through a cookie, will this cookie be saved under the domain of the CORS server or main web-page server? 


When is it safe to enable CORS?

I have unescaped data from users. 

So is it safe to use like this:

    var data = &#39;&lt;test&gt;a&amp;f&quot;#&lt;/test&gt;&#39;; // example data from ajax response
    if (typeof(data) === &#39;string&#39;)
        $(&#39;body&#39;).text(data);

Can I use like this or there is some problems like encoding or some specific symbols that I should be careful and add more strict validation?

Is jQuery .text() method XSS safe?

The app I&#39;m currently building has the requirement that the app has to prevent the OS to take a screenshot of the app when it&#39;s being pushed into the background for security reasons. This way it won&#39;t be able to see the last active screen when switching between apps.

I&#39;m planning to put this functionality in the application class&#39;s onPause method, but first I need to find out how I can achieve this functionality.

So is there anybody out there, that has a clue how to fix this? 

How do I prevent Android taking a screenshot when my app goes to the background?

I&#39;m trying to embed a youtube video on to my page once the user gives the link to the video.

    &lt;iframe width=\&#39;560\&#39; height=\&#39;315\&#39; src=&#39;http://www.youtube.com/watch?v=&lt;video id&gt;&amp;amp;output=embed&#39; frameborder=\&#39;0\&#39; allowfullscreen&gt;&lt;/iframe&gt;

But when I try to add this I get this error. After inspecting the page in chrome, I see this error in the console tab

&quot;Refused to display document because of the display is forbidden by X-Frame-Options&quot;

I&#39;m not able to see the video even in `IE` and `Firefox` also

I even tried adding the 

     header(&#39;X-Frame-Options:Allow-From http://www.youtube.com&#39;); 
     header(&#39;X-Frame-Options:GOFORIT);
     &amp;amp;output=embed to the url

After reading certain solutions in other posts.

But I still get the same error.

I also see that the youtube has the method of object embedding to show the video, but already youtube has made that as old method of embedding the video. So I want to use the new iframe method of embedding the video on to my page.

**Problem is seen in** 

- Firefox 11
- Chrome 18.0
- IE 8


Anybody faced this problem?


Embedding youtube video &quot;Refused to display document because display forbidden by X-Frame-Options&quot;

I&#39;m learning JavaScript at the moment and I don&#39;t quite understand when to write a function into a variable.

For instance, both of the following code blocks do the exact same thing in Node.js:

     var onReq = function(req, res) {
       res.write(&#39;Hello&#39;);
     };
     
     http.createServer(onReq).listen(3000);

and

    function onReq(req, res) {
       res.write(&#39;Hello&#39;);
     }
     
     http.createServer(onReq).listen(3000);


&lt;br&gt;&lt;br&gt;Which is the best method to do according to best practices, and why?

When should I store a function into a variable?

I&#39;ve got two collections in my Mongo database, and the `Foo`s contain references to one or more `Bar`s:

    Foo: { 
      prop1: true,
      prop2: true,
      bars: [
         {
         &quot;$ref&quot;: &quot;Bar&quot;,
         &quot;$id&quot;: ObjectId(&quot;blahblahblah&quot;)
         }
      ]
    }

    Bar: {
       testprop: true
    }

What I want is to find all of the `Foo`s that have at least one `Bar` that has its testprop set to true.  I&#39;ve tried this command, but it doesn&#39;t return any results:

    db.Foo.find({ &quot;bars.testprop&quot; : { &quot;$in&quot;: [ true ] } })

Any ideas?

How do I query referenced objects in MongoDB?

I am using npm v1.0.104/node 0.6.12 on ubuntu - I am receiving the error copied below while attempting to install any new modules via npm (I tested socket.io earlier using http, not https though &amp; am wondering if that could have resulted in the issue with npm/unsigned certs).  The error pops up once npm tries to resolve the &#39;https://registry.npmjs.org&#39; URL.  Is there anyway I can ignore the error or perhaps locate/add the cert to a trusted store in order to continue using npm. 

Any insight on what needs to be done to resolve the issue will be appreciated (I would prefer to resolve the issue through configuration as opposed to re-installing if possible).


&gt; Error: &quot;Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN&quot;

Full Message:

    npm ERR! Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN
    npm ERR!     at ClientRequest.&lt;anonymous&gt; (/usr/lib/node_modules/npm/node_modules/request/main.js:252:28)
    npm ERR!     at ClientRequest.emit (events.js:67:17)
    npm ERR!     at HTTPParser.onIncoming (http.js:1261:11)
    npm ERR!     at HTTPParser.onHeadersComplete (http.js:102:31)
    npm ERR!     at CleartextStream.ondata (http.js:1150:24)
    npm ERR!     at CleartextStream._push (tls.js:375:27)
    npm ERR!     at SecurePair.cycle (tls.js:734:20)
    npm ERR!     at EncryptedStream.write (tls.js:130:13)
    npm ERR!     at Socket.ondata (stream.js:38:26)
    npm ERR!     at Socket.emit (events.js:67:17)
    npm ERR! Report this *entire* log at:
    npm ERR!     &lt;http://github.com/isaacs/npm/issues&gt;
    npm ERR! or email it to:
    npm ERR!     &lt;npm-@googlegroups.com&gt;
    npm ERR! 
    npm ERR! System Linux 2.6.38-13-generic
    npm ERR! command &quot;node&quot; &quot;/usr/bin/npm&quot; &quot;install&quot; &quot;jed&quot;
    npm ERR! node -v v0.6.12
    npm ERR! npm -v 1.0.104



receiving error: &#39;Error: SSL Error: SELF_SIGNED_CERT_IN_CHAIN&#39; while using npm

I&#39;m trying to start serving some static web pages using `connect` like this:

    var connect = require(&quot;connect&quot;);
    var nowjs = require(&quot;now&quot;);
    var io = require(&quot;socket.io&quot;);
    
    
    var app = connect.createServer(
      connect.static(__dirname + &#39;/public&#39;)
    );
    
    app.listen(8180);

So I added a simple `index.html` at the `/public` directory on the same directory as the `app.js` file is, but when I try to view the page on my browser I get this response from node:

&gt; Cannot GET /

What I&#39;m doing wrong and how I can correct it?

&quot;Cannot GET /&quot; with Connect on Node.js

How can I use a C++ library from node.js?

How do i set a variable in `app.js` and have it be available in all the routes, atleast in the `index.js` file located in routes. using the express framework and `node.js`

Global Variable in app.js accessible in routes?

Again... selecting framework. I have stopped on these two TowerJS and RailwayJS, but it seams these are very similar and it is very difficult which way to choose

Both are based on Express, both are RoR style frameworks...

Which one is the most promising, which one will be more popular?


Or maybe I&#39;m already on the wrong way? Maybe I should choose other framework.

I hate when there is so much frameworks to choose from, there is no industry standard to rely on, to be more or less sure that the framework will be developed in near couple years...

Please help, need expert suggestion. Thanks


RailwayJS vs TowerJS

How can I access raw body of request object given to me by expressjs?

    var express = require(&#39;./node_modules/express&#39;);
    var app = express.createServer();
    app.post(&#39;/&#39;, function(req, res)
    {
    	console.log(req.body); //says &#39;undefined&#39;
    });
    app.listen(80);

Expressjs raw body

I would like to separate my Mongoose models in a separate file. I have attempted to do so like this:

    var mongoose = require(&quot;mongoose&quot;);
    var Schema = mongoose.Schema;
    var ObjectId = Schema.ObjectId;
    
    var Material = new Schema({
        name                :    {type: String, index: true},
        id                  :    ObjectId,
        materialId          :    String,
        surcharge           :    String,
        colors              :    {
            colorName       :    String,
            colorId         :    String,
            surcharge       :    Number
        }
    });
    
    var SeatCover = new Schema({
        ItemName            :    {type: String, index: true},
        ItemId              :    ObjectId,
        Pattern             :    String,
        Categories          :    {
            year            :    {type: Number, index: true},
            make            :    {type: String, index: true},
            model           :    {type: String, index: true},
            body            :    {type: String, index: true}
        },
        Description         :    String,
        Specifications      :    String,
        Price               :    String,
        Cost                :    String,
        Pattern             :    String,
        ImageUrl            :    String,
        Materials           :    [Materials]
    });
    
    mongoose.connect(&#39;mongodb://127.0.0.1:27017/sc&#39;);
    
    var Materials = mongoose.model(&#39;Materials&#39;, Material);
    var SeatCovers = mongoose.model(&#39;SeatCover&#39;, SeatCover);
    
    exports.Materials = Materials;
    exports.SeatCovers = SeatCovers;

Then, I have attempted to use the model like this:

    var models = require(&#39;./models&#39;); 

    exports.populateMaterials = function(req, res){
        console.log(&quot;populateMaterials&quot;);
        for (var i = 0; i &lt; materials.length; i++ ){
            var mat = new models.Materials();
            console.log(mat);
            mat.name = materials[i].variantName;
            mat.materialId = materials[i].itemNumberExtension;
            mat.surcharge = materials[i].priceOffset;
            for (var j = 0; j &lt; materials[i].colors.length; j++){
                mat.colors.colorName = materials[i].colors[j].name;
                mat.colors.colorId = materials[i].colors[j].itemNumberExtension;
                mat.colors.surcharge = materials[i].colors[j].priceOffset;
            }
            mat.save(function(err){
                if(err){
                    console.log(err);
                } else {
                    console.log(&#39;success&#39;);
                }
            });
        }
        res.render(&#39;index&#39;, { title: &#39;Express&#39; });
    };

Is this a reasonable approach to referencing a model in a separate module? 

Defining Mongoose Models in Separate Module

How can i bind a expressjs server to a specific IP

Something like

    app.listen(8888, &#39;192.168.0.101&#39;);

Equivalent to nodejs:

    http.createServer(onRequest).listen(8888,&#39;192.168.0.101&#39;);

Content Type	Original Author	Original Content on Stackoverflow
Question	Travis Parks	View Question on Stackoverflow
Solution 1 - Security	Linus Thiel	View Answer on Stackoverflow
Solution 2 - Security	Clément Renaud	View Answer on Stackoverflow
Solution 3 - Security	McMeep	View Answer on Stackoverflow
Solution 4 - Security	Tommz	View Answer on Stackoverflow

Node.js + Express.js User Permission Security Model

Security Problem Overview

Security Solutions

Solution 1 - Security

Solution 2 - Security

Solution 3 - Security

Solution 4 - Security

How do I mock a static method that returns void with PowerMock?

How can we develop coding practices designed to protect against leap year bugs?

Attributions