Reputation: 875
What is the correct use of bodyParser middleware in Node.js express?
I am new to node.js and express and have been experimenting with them for a while. Now I am confused with the design of the express framework related to parsing the request body. From the official guide of express:
app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(app.router);
app.use(logErrors);
app.use(clientErrorHandler);
app.use(errorHandler);
After setting up all the middleware, then we add the route that we want to handle:
app.post('/test', function(req, res){
//do something with req.body
});
The problem with this approach is that all request body will be parsed first before the route validity is checked. It seems very inefficient to parse the body of invalid requests. And even more, if we enable the upload processing:
app.use(express.bodyParser({uploadDir: '/temp_dir'}));
Any client can bombard the server by uploading any files (by sending request to ANY route/path!!), all which will be processed and kept in the /temp_dir. I can't believe that this default method is being widely promoted!
We can of course use the bodyParser function when defining the route:
app.post('/test1', bodyParser, routeHandler1);
app.post('/test2', bodyParser, routeHandler2);
or even perhaps parse the body in each function that handle the route. However, this is tedious to do.
Is there any better way to use express.bodyParser for all valid (defined) routes only, and to use the file upload handling capability only on selected routes, without having a lot of code repetitions?
Upvotes: 29
Views: 15398
Answers (1)
Reputation: 146094
Your second method is fine. Remember you can also pass arrays of middleware functions to app.post, app.get and friends. So you can define an array called uploadMiddleware with your things that handle POST bodies, uploads, etc, and use that.
app.post('/test1', uploadMiddleware, routeHandler1);
The examples are for beginners. Beginner code to help you get the damn thing working on day 1 and production code that is efficient and secure are often very different. You make a certainly valid point about not accepting uploads to arbitrary paths. As to parsing all request bodies being 'very inefficient', that depends on the ratio of invalid/attack POST requests to legitimate requests that are sent to your application. The average background radiation of attack probe requests is probably not enough to worry about until your site starts to get popular.
Also here's a blog post with further details of the security considerations of bodyParser.
Upvotes: 33
Related Questions
- How do I call "{express,connect}.bodyParser()" from within middleware?
- Using express.json instead of express.bodyparser
- express 3.0 bodyParser not working properly
- bodyParser is deprecated express 4
- Error making a connectionto node “most middleware (like bodyParser) and must be installed separately by nodejs"
- Do I have to use bodyParser in nodejs?
- Expressjs bodyParser and connect-form
- node.js architecture - how to share middleware (bodyparser)
- Express bodyParser
- What does the bodyParser() in connect middleware do?