@apiposture/cli 1.0.1 → 1.1.3

package/.github/workflows/test.yml

@@ -12,7 +12,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [18.x, 20.x, 22.x]
+        node-version: [20.x, 22.x]
 
     steps:
       - name: Checkout repository

package/dist/core/discovery/express-discoverer.js

@@ -35,7 +35,7 @@ export class ExpressDiscoverer {
     collectRouterMounts(sourceFile, filePath) {
         const callExpressions = findNodes(sourceFile, ts.isCallExpression);
         for (const callExpr of callExpressions) {
-            // Look for app.use('/prefix', router)
+            // Look for app.use('/prefix', router) or app.use('/path', middleware())
             if (!ts.isPropertyAccessExpression(callExpr.expression))
                 continue;
             const propAccess = callExpr.expression;
@@ -47,17 +47,31 @@ export class ExpressDiscoverer {
                 continue;
             const firstArg = args[0];
             const secondArg = args[1];
-            // Check for app.use('/prefix', router)
-            if (ts.isStringLiteral(firstArg) && ts.isIdentifier(secondArg)) {
-                const prefix = firstArg.text;
-                const routerName = secondArg.text;
-                const appName = ts.isIdentifier(propAccess.expression)
-                    ? propAccess.expression.text
-                    : '';
-                if (appName) {
-                    this.registry.registerRouterMount(filePath, appName, prefix, routerName);
+            // Must start with a string path
+            if (!ts.isStringLiteral(firstArg))
+                continue;
+            const prefix = firstArg.text;
+            const appName = ts.isIdentifier(propAccess.expression)
+                ? propAccess.expression.text
+                : '';
+            if (!appName)
+                continue;
+            // Check for app.use('/prefix', router) — router is a simple identifier
+            if (ts.isIdentifier(secondArg)) {
+                this.registry.registerRouterMount(filePath, appName, prefix, secondArg.text);
+            }
+            // Also collect path-scoped middleware: app.use('/path', middleware(), ...)
+            // These middleware apply to all routes matching the path prefix
+            const pathMiddlewares = [];
+            for (let i = 1; i < args.length; i++) {
+                const mwName = this.extractMiddlewareName(args[i], sourceFile);
+                if (mwName) {
+                    pathMiddlewares.push(mwName);
                 }
             }
+            if (pathMiddlewares.length > 0) {
+                this.registry.registerPathMiddleware(filePath, prefix, pathMiddlewares);
+            }
         }
     }
     processCallExpression(callExpr, sourceFile, filePath) {
@@ -90,14 +104,29 @@ export class ExpressDiscoverer {
         const fullRoute = this.normalizePath(prefix + routePath);
         // Extract middleware chain (all arguments except last handler)
         const middlewares = this.extractMiddlewares(args, sourceFile);
+        // When there are exactly 2 args (path + one function), the function is treated
+        // as the handler. But it might actually be auth middleware (e.g., security.isAuthorized()).
+        // Also extract its name as potential middleware so auth extraction can check it.
+        const lastArg = args[args.length - 1];
+        if (args.length === 2 && ts.isStringLiteral(args[0])) {
+            const lastArgName = this.extractMiddlewareName(lastArg, sourceFile);
+            if (lastArgName) {
+                middlewares.push(lastArgName);
+            }
+        }
         // Get handler name
-        const handlerName = this.extractHandlerName(args[args.length - 1], sourceFile);
+        const handlerName = this.extractHandlerName(lastArg, sourceFile);
         // Get location
         const location = getLineAndColumn(sourceFile, callExpr.getStart(sourceFile));
+        // Include path-scoped middleware registered via app.use('/path', middleware())
+        const pathMiddlewares = this.registry.getPathMiddlewares(fullRoute);
         // Extract authorization info
         const authorization = this.authExtractor.extract(middlewares, {
             isRouter: callerName !== 'app',
-            routerMiddlewares: this.registry.getAllMiddlewares(filePath, callerName),
+            routerMiddlewares: [
+                ...this.registry.getAllMiddlewares(filePath, callerName),
+                ...pathMiddlewares,
+            ],
         });
         return createEndpoint({
             route: fullRoute,

package/dist/core/discovery/route-group-registry.d.ts

@@ -7,11 +7,14 @@ export interface RouteGroup {
 export declare class RouteGroupRegistry {
     private groups;
     private routerMounts;
+    private pathMiddlewares;
     registerGroup(filePath: string, variableName: string, prefix?: string, middlewares?: string[]): void;
     registerRouterMount(filePath: string, appVariableName: string, prefix: string, routerName: string): void;
     getGroup(filePath: string, variableName: string): RouteGroup | undefined;
     getRouterPrefix(filePath: string, routerName: string): string;
     getAllMiddlewares(filePath: string, variableName: string): string[];
+    registerPathMiddleware(filePath: string, prefix: string, middlewares: string[]): void;
+    getPathMiddlewares(route: string): string[];
     clear(): void;
     private makeKey;
 }

package/dist/core/discovery/route-group-registry.js

@@ -1,6 +1,7 @@
 export class RouteGroupRegistry {
     groups = new Map();
     routerMounts = new Map();
+    pathMiddlewares = [];
     registerGroup(filePath, variableName, prefix = '', middlewares = []) {
         const key = this.makeKey(filePath, variableName);
         const group = {
@@ -39,9 +40,23 @@ export class RouteGroupRegistry {
         const group = this.getGroup(filePath, variableName);
         return group?.middlewares ?? [];
     }
+    registerPathMiddleware(filePath, prefix, middlewares) {
+        this.pathMiddlewares.push({ prefix, middlewares, filePath });
+    }
+    getPathMiddlewares(route) {
+        const result = [];
+        for (const pm of this.pathMiddlewares) {
+            // Check if route starts with the middleware prefix
+            if (route === pm.prefix || route.startsWith(pm.prefix + '/')) {
+                result.push(...pm.middlewares);
+            }
+        }
+        return result;
+    }
     clear() {
         this.groups.clear();
         this.routerMounts.clear();
+        this.pathMiddlewares = [];
     }
     makeKey(filePath, variableName) {
         return `${filePath}::${variableName}`;

package/dist/lib.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Library entry point for @apiposture/cli.
+ * Re-exports all public types, functions, and classes for use by other packages.
+ */
+export * from './core/models/index.js';
+export { ProjectAnalyzer } from './core/analysis/project-analyzer.js';
+export { SourceFileLoader } from './core/analysis/source-file-loader.js';
+export * from './core/discovery/index.js';
+export { RuleEngine } from './rules/rule-engine.js';
+export type { SecurityRule } from './rules/rule-interface.js';
+export type { OutputFormatter, FormatterOptions } from './output/formatter-interface.js';
+export { TerminalFormatter } from './output/terminal-formatter.js';
+export { JsonFormatter } from './output/json-formatter.js';
+export { MarkdownFormatter } from './output/markdown-formatter.js';
+//# sourceMappingURL=lib.d.ts.map

package/dist/lib.js

@@ -0,0 +1,17 @@
+/**
+ * Library entry point for @apiposture/cli.
+ * Re-exports all public types, functions, and classes for use by other packages.
+ */
+// Models
+export * from './core/models/index.js';
+// Analysis
+export { ProjectAnalyzer } from './core/analysis/project-analyzer.js';
+export { SourceFileLoader } from './core/analysis/source-file-loader.js';
+// Discovery
+export * from './core/discovery/index.js';
+// Rules
+export { RuleEngine } from './rules/rule-engine.js';
+export { TerminalFormatter } from './output/terminal-formatter.js';
+export { JsonFormatter } from './output/json-formatter.js';
+export { MarkdownFormatter } from './output/markdown-formatter.js';
+//# sourceMappingURL=lib.js.map

package/dist/rules/consistency/missing-auth-on-writes.d.ts

@@ -16,6 +16,7 @@ export declare class MissingAuthOnWrites implements SecurityRule {
     readonly description = "Write operation has no authentication and no explicit public marker";
     readonly severity = Severity.Critical;
     evaluate(endpoint: Endpoint): Finding[];
+    private isAuthEndpoint;
     private getRecommendation;
 }
 //# sourceMappingURL=missing-auth-on-writes.d.ts.map

package/dist/rules/consistency/missing-auth-on-writes.js

@@ -2,6 +2,31 @@ import { createFinding } from '../../core/models/finding.js';
 import { Severity } from '../../core/models/severity.js';
 import { SecurityClassification } from '../../core/models/security-classification.js';
 import { isWriteMethod } from '../../core/models/http-method.js';
+// Routes that are inherently public (authentication endpoints themselves)
+const AUTH_ENDPOINT_PATTERNS = [
+    /^\/login$/i,
+    /^\/signin$/i,
+    /^\/signup$/i,
+    /^\/register$/i,
+    /^\/auth\/login$/i,
+    /^\/auth\/register$/i,
+    /^\/auth\/signup$/i,
+    /^\/api\/auth\/login$/i,
+    /^\/api\/auth\/register$/i,
+    /^\/api\/auth\/signup$/i,
+    /\/users\/login$/i,
+    /\/users\/register$/i,
+    /\/users\/signup$/i,
+    /\/user\/login$/i,
+    /\/user\/register$/i,
+    /\/user\/signup$/i,
+    /\/user\/reset-password$/i,
+    /\/password\/reset$/i,
+    /\/password\/forgot$/i,
+    /\/forgot-?password$/i,
+    /\/reset-?password$/i,
+    /\/oauth\/token$/i,
+];
 /**
  * AP004: Missing authentication on write operations
  *
@@ -22,10 +47,12 @@ export class MissingAuthOnWrites {
         // 1. It's a write method
         // 2. No authentication
         // 3. No explicit public marker (so it's accidentally open, not intentionally)
+        // 4. Not an authentication endpoint itself (login/signup/register are inherently public)
         if (isWriteMethod(endpoint.method) &&
             auth.classification === SecurityClassification.Public &&
             !auth.isAuthenticated &&
-            !auth.isExplicitlyPublic) {
+            !auth.isExplicitlyPublic &&
+            !this.isAuthEndpoint(endpoint.route)) {
             findings.push(createFinding({
                 ruleId: this.id,
                 ruleName: this.name,
@@ -38,6 +65,9 @@ export class MissingAuthOnWrites {
         }
         return findings;
     }
+    isAuthEndpoint(route) {
+        return AUTH_ENDPOINT_PATTERNS.some((pattern) => pattern.test(route));
+    }
     getRecommendation(endpoint) {
         switch (endpoint.type) {
             case 'express':

package/package.json

@@ -1,8 +1,16 @@
 {
   "name": "@apiposture/cli",
-  "version": "1.0.1",
+  "version": "1.1.3",
   "description": "Static source-code analysis CLI for Node.js API frameworks to identify authorization misconfigurations and security risks",
-  "main": "dist/index.js",
+  "main": "dist/lib.js",
+  "types": "dist/lib.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/lib.d.ts",
+      "default": "./dist/lib.js"
+    },
+    "./dist/*": "./dist/*"
+  },
   "bin": {
     "apiposture": "dist/index.js"
   },
@@ -38,10 +46,10 @@
   },
   "homepage": "https://github.com/BlagoCuljak/ApiPosture.Node.js#readme",
   "engines": {
-    "node": ">=18.0.0"
+    "node": ">=20.0.0"
   },
   "dependencies": {
-    "axios": "^1.6.0",
+    "axios": "^1.13.5",
     "chalk": "^5.3.0",
     "cli-table3": "^0.6.3",
     "commander": "^12.0.0",
@@ -55,6 +63,6 @@
     "eslint": "^8.56.0",
     "tsx": "^4.7.0",
     "typescript": "^5.3.0",
-    "vitest": "^1.0.0"
+    "vitest": "^4.0.18"
   }
 }