@plasius/api
v1.0.20
Published
Generic public API security and middleware helpers.
Maintainers
Readme
@plasius/api
Public generic API helper package.
What this package contains
- Public helper exports compiled to
dist/** - Reusable transport-security helper utilities
- Reusable session helper utilities compatible with
withSessionmiddleware - Reusable generic parameter-validation middleware for request ingress checks
- Governance/legal materials (
docs/**,legal/**)
Package Boundary (Public by Design)
@plasius/apiis intentionally a generic helper package.- Private application handlers and business-specific backend code must remain in private consumer repositories.
- Publish safeguards now block packaging of private runtime trees (
src/**, local settings, and generated OpenAPI artifacts). npm run pack:checkalso fails if public code roots (src/**,tests/**,demo/**) contain forbidden private/product identifiers.
Transport Security Baseline
- Exports helper functions:
applyBaselineSecurityHeaders(headers)isHttpsRequest(request)isInsecureLocalRequest(request)shouldEnforceHttps()
- These helpers support strict header policy and HTTPS enforcement behavior for callers.
Session Helper Baseline
- Exports helper functions:
ensureSession(request, options?)getSessionIdFromRequest(request, cookieName?)createSessionCookie(sessionId, options?)
withSessionmiddleware is implemented using these helpers and keeps secure defaults (HttpOnly,Secure,SameSite=Lax,Path=/).
Request Validation Baseline
- Exports helper middleware:
withValidatedParam({ paramName, validate, contextKey? })
- Consumers keep validation policy local by supplying their own validator and normalized value contract.
API Error Localization
- Exports package-owned
en-GBerror translations throughapiEnGbTranslations. - Standard HTTP error helpers now return default English text from
@plasius/translationsand include a stableerrorKey. - Text-body middleware responses keep their existing default English body and expose the key through the
x-plasius-error-keyresponse header.
import {
apiErrorTranslationKeys,
createApiErrorResponse,
} from "@plasius/api";
const response = createApiErrorResponse(404, apiErrorTranslationKeys.notFound);Security Configuration
CORS_ALLOWED_ORIGINSorALLOWED_ORIGINS: comma-separated trusted browser origins for credentialed CORS. Credentialed wildcard CORS is rejected by default.HMAC_SECRET: required before request IP addresses are hashed for privacy-preserving request logs.RATE_LIMIT_HMAC_SECRET: required for rate-limit identity hashing. If omitted,HMAC_SECRETis used.AUTH_COOKIE_SAME_SITEorCOOKIE_SAME_SITE: optional cookieSameSiteoverride. Defaults toLax; useNoneonly for HTTPS deployments that genuinely require cross-site cookies.PUBLIC_BASE_URL,FRONTEND_DOMAIN, orDOMAIN: configured deployment origin used before request-derived URL data for cookie security decisions.TRUST_PROXY_HEADERS: opt-in flag for using forwarded host/proto/IP headers. Leave unset unless the deployment edge strips and rewrites those headers.RATE_LIMIT_FAIL_OPEN: optional override for production rate-limit backend outages. Production fails closed by default.
Install
npm install @plasius/apiEntrypoints
- Main module:
@plasius/api - Middleware module:
@plasius/api/middleware
Example
import {
applyBaselineSecurityHeaders,
isHttpsRequest,
shouldEnforceHttps,
} from "@plasius/api";import { withCors, withRateLimiting, withMiddleware } from "@plasius/api/middleware";import { withValidatedParam } from "@plasius/api/middleware";
const requireUserId = withValidatedParam({
paramName: "id",
validate: (rawValue) =>
typeof rawValue === "string" && rawValue.trim()
? { ok: true, value: rawValue.trim() }
: { ok: false, error: "Invalid user ID" },
});Local development
npm ci
npm run build
npm test
npm run pack:checknpm run build compiles the public package entrypoint to dist/.
Publish checklist
- Update
CHANGELOG.mdunderUnreleased. - Run
npm ci && npm run clean && npm run build && npm test && npm run pack:check. - Bump
package.jsonversion. - Tag and push (
vX.Y.Z). - Publish through the CD workflow (recommended) or
npm publish.
Governance
- Contributing guidance:
CONTRIBUTING.md - Security policy:
SECURITY.md - Code of conduct:
CODE_OF_CONDUCT.md - ADRs:
docs/adrs - CLA and legal docs:
legal
License
Apache-2.0
