The server maintains considerable state on its own behalf. Some of this could be reasonably exploited by server-side plugins.
# Security
The server can confirm that requests come from a logged-in administrator. This is often written as a route filter.
admin = (req, res, next) -> if app.securityhandler.isAdmin(req) next() else admin = "none specified" unless argv.admin user = "not logged in" unless req.session?.passport?.user || req.session?.email || req.session?.friend res.status(403).send { error: 'service requires admin user', admin, user }
The server can confirm that requests come from the logged-in owner of the site or writes are otherwise authorized.
if app.scurityhandler.isAuthorized(req) ...