Links

Enforcing Permissions

To use in production mode and start enforcing module API access restrictions, provide a permissions array to Sandworm.init:
const Sandworm = require('@sandworm/guard');
Sandworm.init({
devMode: process.env.NODE_ENV === 'development',
permissions: [{module: 'react-use', permissions: ['Storage.getItem', 'Storage.setItem']}],
});
  • Update the devMode config to reflect your environment by using environment vars or any other available signal;
  • Provide an array of permission descriptors in the form of objects with a module name and a permissions array of strings corresponding to the allowed methods.
  • The inspector can generate a baseline permissions array for you based on the activity captured in dev mode.
When detecting an unauthorized execution attempt, Sandworm throws a SandwormError. Besides the message attribute, this error object also includes more details about the event:
  • module: the invoking module name or path
  • method: the invoked method, for example fs.readFile
Note that errors might be swallowed by third party code and not reach root level, so catching a SandwormError, while recommended, will not always work. To make sure your app code gets notified about every unauthorized execution, use the onAccessDenied configuration option to register a callback method that will always be triggered right before Sandworm throws, and passed the SandwormError object as an argument.
const Sandworm = require('@sandworm/guard');
Sandworm.init({
devMode: process.env.NODE_ENV === 'development',
permissions: [...],
onAccessDenied: (error) => {
trackOrLogError(error.module, error.method);
},
});