CODEWITHSUNDEEP
javascriptnode.jssecurity
Constantly Confused
Constantly Confused

Reputation: 635

node.js serving up HTML documents in server directory

So I have a pretty simple question, at the moment my server file and HTML documents all live in the same directory. However, I've realised this has lead to quite an annoying problem. If I user were to type:

http://localhost:3000/HTML/homepage.html

The server serves them the HTML document, where usually they'd have to go through sign in, and have their session ID verified before they could access the homepage.

Is there any way to deny access to files held in the server directory?

Example of how my code currently runs:

var http = require('http'),
    fs = require('fs');

var path = require("path");
var bodyParser = require('body-parser');
var cookieParser = require('cookie-parser')
var session = require('express-session')

var sqlite3 = require('sqlite3').verbose();
var express = require('express');
var app = express();



var server = app.listen(3000, function () {
  var host = server.address().address;
  var port = server.address().port;

  console.log('Example app listening at http://%s:%s', host, port);
});

app.use(bodyParser());
app.use(express.static(__dirname));


app.get('/signin', function (req, res) {
    res.sendFile(path.join(__dirname + '/HTML/signin'));
});

app.post('/signin', function (req, res) {
    var email = req.body.email;
    var password = req.body.password;


    if (email!="" || password != ""){
        req.session.sessID = email //using email for example purposes

        res.setHeader('Content-Type', 'application/json' );
        res.send(JSON.stringify({
            success: true //the client then catches the JSON, and will redirect to http://localhost:3000/homepage
        }));
    }
}

app.get('/homepage', function(req, res){
    if (req.session.sessID == undefined){
        res.send("You must login first!")
    }else{
        res.sendFile(path.join(__dirname + '/HTML/homepage.html'));
    }
}

Upvotes: 0

Views: 109

Answers (1)

jfriend00
jfriend00

Reputation: 707556

The source of your problem is this:

app.use(express.static(__dirname));

This tells express to serve ANY file it can find on your hard drive from the app directory on down. This is not advisable. This will even serve up your private server source code files if the right path is entered into the browser.

You should distinguish between your static files and your dynamically handled routes and you should make sure there is no possibility of conflict between them.

A common design is to designate a separate directory on your hard drive for static HTML files (not your app directory) and then set up express static routing to there. And, make sure that none of your dynamic routes will ever be satisfied with the static routing.

For example, if your static HTML files are in a sub-directory HTML which is below your __dirname directory, then you can do this:

app.use(express.static(path.join(__dirname, "HTML")));

And, then make sure none of your dynamic HTML files such as homepage.html are in that directory (put them somewhere else that express.static() will not ever see).

If you don't actually want the user to be able to see anything except your custom routes, then get rid of the app.use(express.static(__dirname)); line entirely and just create custom routes for each page you are serving.

Upvotes: 2

Related Questions