Reputation: 31
how to prevent extra stuff being send in req.body in Express.js
I was just wondering is it possible to restrict what is been sent in the req.body
like can I create a middleware that checks the req.body for extra junk before it goes to the controller
is this even an issue?
if I just select the needed data it doesn't matter how bloated is the req.body?
thank you.
Upvotes: 0
Views: 928
Answers (2)
Reputation: 136
You can do some object destructuring as a way to limit the data being passed in and used, but that may clutter up your route handler code. I would go with destructuring in your controller methods, rather than modifying the data through middleware, which can lead to confusion.
For example:
const User = require("./user");
const express = require("express");
const router = new express.Router();
router.post("/login", async (req, res, next) => {
// let's pretend req.body has username, password, and otherJunk.
//option 1
const userThing1 = await User.authenticate1(req.body);
// option 2
const userThing2 = await User.authenticate2(req.body);
// option 3
const { username, password, otherJunk } = req.body;
const userThing3 = await user.authenticate3({username, password});
// ...do stuff with userThing responses here
}
the User class with the authenticate1, authenticate2, authenticate3 methods are defined below
class User {
// see route handler first
static async authenticate1(data) {
// destructure here, grab only what you need
const {username, password} = data;
// do stuff with username and password here.
// note that data.otherJunk is still accessible here.
}
static async authenticate2({username, password }) {
// destructured in the parameters, do stuff with username and password here
// otherJunk is not accessible here.
}
static async authenticate3({username, password, otherJunk }) {
// destructured in the parameters, do stuff with username and password here.
// note that otherJunk will not be accessible because of the way we passed variables into the route handler.
}
}
module.exports = User;
There are of course many ways to do this, but I'd go with either option 1 or option 2, grabbing username, password, and ignoring otherJunk in the destructuring process. It still allows for the necessary data to be passed through, but makes it so that you're grabbing only what you need for explicitness and readability.
Upvotes: 1
Reputation: 108651
I guess you want to reject requests containing body parameters with names that aren't in an allowed list. It should be relatively easy to do that.
const createError = require('http-errors')
const bodyAllowedList = new Set (['username', 'password'])
function checkbody(req,res,next) {
for (const prop in req.body) {
if(req.body.hasOwnProperty(prop) && !bodyAllowedList.has(prop)) {
next(createError(400, 'unexpected parameter in POST body'))
}
}
}
route.post('whatever', checkbody, function (req, res, next){
/* your route handler here. */
})
You see the general pattern: look at the properties of the req.body object: they are the body parameters. If you see one you don't want call next(error) and express will kick an error back to the requestor.
Upvotes: 1
Related Questions
- Express: Prevent bodyParser from parsing request
- Express JS API req.body shows buffer data
- express node how to avoid sending user data on every request?
- Express Handling empty req.body?
- Req.body is empty node.js and express
- express.js - req.body?
- Prevent express body-parser from removing body prior to request.pipe
- req.body is empty just like {}
- Req.body ={} after request post
- express.js req.body is always empty