Unintentionally Bypassing Middleware with Case-Sensitive Negative Regex

[dbohannon]

In the snippet below, the basicAuth middleware will be applied to all routes beginning with /secure/.

var unless = require('express-unless');
...
app.use(basicAuth.unless({path: /^(?!\/secure\/).*/})); 

However, Express uses case-insensitive routing by default. This means that if we use the above regex and have a route /secure/endpoint, we can bypass the basicAuth middleware by requesting the route /SECURE/endpoint.

The documentation for the path option should be updated to bring this to the developers attention. The developer should always use the case-insensitive 'i' flag when using a negative regular expression (i.e., {path: /^(?!/secure/).*/i} or set the Express case sensitive routing option to true.

An alternate solution is to update the default behavior of the express-unless path option to include the 'i' option by default when using regular expressions. This would make the default express-unless behavior align with the default Express routing behavior; however, this would be a breaking change.