GitHub - rodrigo-areyzaga/accguard: Session-aware access control proxy for local test environments · GitHub

/" data-turbo-transient="true" />

Skip to content

Search or jump to...

Search code, repositories, users, issues, pull requests...

-->

Search

Clear

Search syntax tips

Provide feedback

--><br>We read every piece of feedback, and take your input very seriously.

Include my email address so I can be contacted

Cancel

Submit feedback

Saved searches

Use saved searches to filter your results more quickly

-->

Name

Query

To see all available qualifiers, see our documentation.

Cancel

Create saved search

Sign in

/;ref_cta:Sign up;ref_loc:header logged out"}"<br>Sign up

Appearance settings

Resetting focus

You signed in with another tab or window. Reload to refresh your session.<br>You signed out in another tab or window. Reload to refresh your session.<br>You switched accounts on another tab or window. Reload to refresh your session.

Dismiss alert

{{ message }}

rodrigo-areyzaga

accguard

Public

Notifications<br>You must be signed in to change notification settings

Fork

Star

main

BranchesTags

Go to file

CodeOpen more actions menu

Folders and files<br>NameNameLast commit message<br>Last commit date<br>Latest commit

History<br>6 Commits<br>6 Commits

.github/workflows

.github/workflows

config

config

src

src

test

test

.gitignore

.gitignore

README.md

README.md

package.json

package.json

View all files

Repository files navigation

accguard

Session-aware access control proxy for local test environments.

Sits between your test suite and your app. Watches authenticated requests. After your tests complete, replays them with a second user's token to confirm access control is actually enforced.

Legal notice

You must only use accguard against systems you own or have explicit written permission to test.

Unauthorized use may violate the Computer Fraud and Abuse Act (US), the Computer Misuse Act (UK), or equivalent laws in your jurisdiction. accguard only operates against localhost and private network addresses. Any attempt to point it at a public IP address will be blocked at startup.

How it works

You run accguard alongside your existing test suite

Your tests run normally — accguard silently records every authenticated API request

When tests finish, accguard replays each request using a second user's token

Any endpoint that returns real data to the wrong user is reported as a confirmed finding

No changes to your test code. No new testing concepts. One config file.

Setup

# No install step yet — run directly with node<br>node src/cli.js

Create accguard.config.json in your project root:

"target": "http://localhost:3000",<br>"port": 8877,<br>"scope": ["/api/"],<br>"exclude": ["/api/health", "/api/public/"],<br>"outputFile": "accguard-report.json"

Running with your tests

# Terminal 1 — start accguard<br>node src/cli.js

# Terminal 2 — run your tests with the proxy set<br>HTTP_PROXY=http://127.0.0.1:8877 npm test

# When tests finish, Ctrl+C accguard — it will replay and report

Provide a second user's token to enable replay:

ACCGUARD_TOKEN_B="session-token-of-another-user" node src/cli.js

CI integration (GitHub Actions example)

- name: Start app<br>run: npm start &

- name: Start accguard<br>run: node src/cli.js &<br>env:<br>ACCGUARD_TOKEN_B: ${{ secrets.TEST_USER_B_TOKEN }}

- name: Run tests<br>run: HTTP_PROXY=http://127.0.0.1:8877 npm test

- name: Flush accguard<br>run: curl -s -X POST http://127.0.0.1:8877/--flush<br># accguard exits with code 1 if findings exist — fails the CI step

Running the test suite

node test/run.js

The test suite starts a fake vulnerable app with a deliberate IDOR bug and confirms accguard detects it.

What accguard does NOT do

Intercept HTTPS traffic (no certificate injection, ever)

Modify requests in any way

Store request bodies, response bodies, or raw tokens

Connect to any public IP address

Run as a persistent background daemon

Scan ports or discover hosts

Configuration reference

Field<br>Required<br>Description

target<br>yes<br>URL of your local app

scope<br>yes<br>Path prefixes to record (e.g. ["/api/"])

exclude<br>no<br>Path prefixes to always skip

port<br>no<br>Proxy port (default: 8877)

outputFile<br>no<br>JSON report path (default: accguard-report.json)

Environment variables

Variable<br>Description

ACCGUARD_TOKEN_B<br>Second user's session token for replay

ACCGUARD_CONFIG<br>Path to config file (default: ./accguard.config.json)

About

Session-aware access control proxy for local test environments

Topics

nodejs

testing

security

proxy

developer-tools

access-control

appsec

idor

Resources

Readme

Uh oh!

There was an error while loading. Please reload this page.

Activity

Stars

stars

Watchers

watching

Forks

forks

Report repository

Releases

No releases published

Packages

Uh oh!

There was an error while loading. Please reload this page.

Contributors

Uh oh!

There was an error while loading. Please reload this page.

Languages

JavaScript<br>100.0%

You can’t perform that action at this time.