New Error Handling and Header Based IP Handling

[ryanbillingsley]

Based on the PR opened by @au in #29, express-ipfilter will no longer try and handle any kind of error. Instead, it uses ExpressJS' built-in middleware error handling, passing a IpDeniedError through the middleware, which you can then handle however you choose.

The settings that were added in 0.1.0 to toggle header based IP addresses such as allowCloudFlare have been removed in favor of a more flexible array of headers, allowedHeaders. Simply add the header name that you want to allow, and it will use that value stored in the header as the IP, unless it can't find one, in which case it will use the IP from ExpressJS.

This PR will be open until September 2nd, 2016 for comment and then it will be merged in.

[ghost]

Awesome stuff. I updated my repo with

var ipfilter = require('express-ipfilter').IpFilter
var blacklist = process.env.BANNED_IP.split(',')
var IpDeniedError = require('express-ipfilter').IpDeniedError

app.use(ipfilter(blacklist, {
    log: false,
}), function(err, req, res, next) {
    if(err instanceof IpDeniedError){
        res.sendStatus(403)
    } else {
        res.sendStatus(err.status || 500);
    }
})

One quip — without any error handling (i.e., with app.use(ipfilter(ips)); only), the user would receive

Which can be a jarring vulnerability to those who simply paste in the working example. Not sure how to go about fixing it.

[ryanbillingsley]

@au last time I checked ( and it has been a bit) Express shipped with some boilerplate that prevented stack traces from leaking out in production, but in development it will show them. It should be the last middleware in the stack, and it is in the example as well. I also added a bit about it in the documentation.