Allow restricting entire routes

Suppose an application contains the following routes which should be restricted:

/admin/deleteuser
/admin/createuser
/admin/moresecretstuff

Would it be possible to just specify /admin and all sub-routes will be restricted too?

I don't know if there are better ways, but I found a potential solution.

If privateURLArray is tested against a filter function (similar to the one suggested here), e.g.:

item => new RegExp('^' + item.replace(/\*/g, '.*') + '$').test(str)

Then this line

slimauth/src/slimauth.js

Line 230 in a88637e

if (req.userID == undefined && privateURLObject[req.baseUrl + req.path]) {

Can be replaced with:

if (req.userID == undefined && filterBy(req.baseUrl + req.path).length) {

With this, privateURLArray can be set to /admin* and it will restrict all the sub-routes.

[kumarasinghe]

Hi! Thanks for raising this matter.
It is recommended to add all your private routes to privateURLArray
Wide card matching on private routes wasn't implemented at first place since they are expensive operations.
Do you have a large number of private routes in your project?

Do you have a large number of private routes in your project?

Currently not, but I would like to, and it would be very cumbersome to specify the full route for each one.

[kumarasinghe]

I understand. Let's see if I can think of a way to do this without trading off performance.

A thought recently occurred to me. Would adding an option to set an "allowlist" instead of the current blocklist be a possible solution?
It would certainly work for me, and it also has the benefit of being secure by default.