I need a best effective way for Node.js API Versioning - node.js

I need a best effective way for Node.js API Versioning.

REST API versioning
URL versioning
You can use routes named with versions
https://exapmpleapi/v1/...
Custom request header
You can create a new request header that contains the version.
Accept-version:v1
Accept-version:v2
Using accept header
You can use accept request header with the versions.
Accept :application/example.comv;version:1.0
For code
You can use github or gitbucket..
using npm modules
https://www.npmjs.com/package/express-api-versioning

Related

Is it possible to update parts/directives in the "content-security-policy" header using DeclarativeNetRequest API?

I am in the process of migrating from Manifest V2 to V3, from Web Request API to Declarative Net Request API. Using Web Request, I modify the "content-security-policy" header by adding a domain into the list of various directives (default-src, frame-src, etc). I tried using the "append" operation in the rule action. Is it possible to target a directive? What if the directive does not exist? Does append just add the supplied string to the end? With Web Request, I was able to examine each directive and update each accordingly, before returning the new value. This allowed me to inject a script that is needed into each frame.
Instead, would it be possible to continue to use the Web Request API with V3? In my setup, I have my chrome extension "Published - unlisted". I do use the force install option when deploying the extension to our internal users, and the only reason I have it unlisted and not private is so that the users who have the extension can get updated whenever a new version is released. Would it be possible to have users updated without having the extension listed? Perhaps by hosting the extension in my own server? Please advise on what can be done to have the ability to update the response header, specifically the "content-security-policy" header the way I have done before, and whether I can continue to use Web Request API going forward (using V3). In the Chrome dev website, there's a mention about continuing to use Web Request if force install is used, and only if its "deployed to a given domain or to trusted testers", but I'm not sure what that actually means. What would I need to do to meet the criteria?
I tried using the append operation in the rule action via the Declarative Net Request API, but its not working as expected. I dont see the security policy being updated when I inspect the response header in dev tools. I also get errors stating that many scripts, images, etc violate the security policy for websites that did not have one to begin with (My extension targets any website).

Is it possible to identify which client sent a HTTP request?

Is it possible to identify the client / library which sent a HTTP request?
I am trying to fetch some data via an API and it is possible to query the API via cURL and python, but when I try to use node (doesn't matter which library, axios requests, unirest, native, ...) or wget I get a proprietary error back from the backend.
Now I am wondering, if the backend is able to identify, which library I am using?
More information:
The requests are exactly the same, so no way to distinguish them
The user-agent header field is set and overwritten for all requests
I already tried to monitor the traffic in wireshark, but couldn't find any differences with the packets on HTTP layer (only the order of the header fields is different, that according to the standard this shouldn't make a difference)
It turns out that the problem was TLS fingerprinting.
See: https://httptoolkit.tech/blog/tls-fingerprinting-node-js/
Nodejs uses google V8 JS engine, V8 based http request clients will not allow you to override headers that would compromise 'web safety', so for example if you are setting "Origin, Host, Referrer" headers, node might refuse to do so. I had the same issue previously.
Un-opinionated http clients, such as the ones written in C++(curl) and python won't 'web safety' check your requests, so that is what is causing the difference in behavior.
In my case I used a C++ library that I called from javascript to make my 'unsafe' requests and the problem was solved.

How to validate URLs with express?

I'm looking to validate URLs by whitelisting a certain list which are allowed. I am using a Node.js server with express.js.
I've looked into using the Node.js library "validator", but this means I need access to the full URL that the request was sent from. However, if the user searches for https://localhost:8080/index.html I have found no way of handling that request, so that I can pass it through the validator library and thus accept or reject it.
You can do so using the NPM package 'express-validator' which contains a whitelist sanitation chain API.
https://github.com/validatorjs/validator.js#sanitizers

Auto-generate swagger.yaml from hapi-js routes

I'm working with a fairly complex NodeJS API that has been written using hapiJS.
The API uses the hapi-swagger npm module to generate the API documentation.
I'm now investigating how to integrate the Amazon API Gateway with this API, in order to provide the authentication/request throttling etc.
To create an Amazon Gateway API, it appears that I need to provide a Swagger definition.
My question is, how do I generate this swagger definition? I'm assuming there must be some way to do this automatically from hapi-swagger, but I haven't been able to find it.
If you are using hapi-swagger the default endpoint that returns the swagger.json is /swagger.json.
See https://github.com/glennjones/hapi-swagger/blob/c02dd0dc8632766006854d1a4ddcd88a77a411c8/optionsreference.md#json-json-endpoint-needed-to-create-ui --> jsonPath

Customize ServiceStack v3 JsConfig based on request header

I have an existing v3 ServiceStack implementation and I want to change the way in which the dates are serialized/deserialized. However, since there are a large number of existing external customers using this service I can't just make that change globally without breaking their mobile applications that use my services.
As a result I want to change the JsConfig<DateTime>.SerializeFn but only when a particular request header is identified.
How would I go about this per request, rather than at the application level?

Resources