Routes with /"model" bypassing routes defined in routes.js - security

Well, i'm building a back-end project on Sails.js in the default port 1337, and everytime i send a get request like "localhost:1337/user", while user is a model, the server responds with all the content in that table. I have a controller for that model, but this request bypass the entire controller and sends all user informations in the table.
I already tried overwriting the '/user' request with a function that sends nothing in response, but still sending every information in the table.
Anyone can help me with that?

Related

Getting data from my database via my api(express) in react

I am making my first mern app and i want to populate the dashboard when someone logs in i was thinking that I should make a get request in my server and call my database in the get request and do the work from there but I heard somewhere that I shouldn't do this because its dangerous to call sensitive data in get request , so I am not sure that how I should get that data in my react app.
You can use a Post request.
I Recommend the Axios Library it is the most used HTTP Request library
https://www.npmjs.com/package/axios
then do
axios.post("https://url.de/request", {
data1: "hallo",
data2: "secret data"
})
in express the data is then in req.body.data1
EDIT: the Data is only secure when the url starts with https://

How do I debug Axios frontend POST (React) to backend express POST? Console shows request as POST and status 200

Browser: Safari
Texteditor: VS CODE
Frontend framework: Reactjs
Backend setup: Express.js
Problem: I have an Axios post request on the front end after an onClick call event is triggered. I am unable to debug the data being sent in the body and know why it isn't getting over to the backend.
The screenshots show the code:(not the breakpoints in red. I am not sure where a good place to use debugger;
This is the code for the onClick event
This is the Backend code running on express port 8000
This is a screenshot of safari and the form being submitted. In the console is the response. As you can see it shows as post request type and status 200. None of that data gets over to the backend SQL database.
Note in the screen above that the object is rendered several times. That is because to get this code to show the results in the console I changed this function.
to this:(though according to react the above is the correct way and will only fire the function once when onclick event is triggered. The below approach does not require an onclick event.
Below is the data showed when setting a breakpoint on all requests. Note that it appears to be a GET request when it should be a POST
Note this is a POST REQUEST. This only happens when the onclick function is changed.
Any help on this matter would be greatly appreciated. I know I am close to figuring this out, however, I am still new to React and CRUD works with it.
So your backend isn't handling the request being made from the front-end. if you want to see the data, try doing this in your server. You need to handle the request your front-end is making before sending a response. The below code just destructures the request body so you don't have to write many lines of code. Once you click on the submit button, you should see that your front-end input is popping up on your back end console. You are currently trying to send an unhandled request. If you want to let's say send something to the front-end based on the request, you would do something like
res.json({nameOfThing: valueOfTheThing"}) AFTER HANDLING THE REQUEST.
app.post("/", (req, res)=>{
const {email, name, question} = req.body
console.log(`Your Email is ${email} and your name is ${name} and your ${question}`)
})
The data should appear in your console. I have actually written a blog on how to do stuff like this. Feel free to check it out. https://dev.to/gbudjeakp/how-to-connect-your-node-express-backend-with-your-react-front-end-post-610

Express API response directly outputted in browser instead being handled by Nuxt.js

I have an express server that is connected to mongodb. I have a nuxt route for /account under pages directory. I also have a same route in the express server app.use('/account', account) which is handling the requests.
The database model has been set correctly and the response is sent by the server using return res.status(200).json(User) whenever the route is called upon using a get request. I'm also seeing the response being delivered to the browser.
But the problem is the response is being outputted directly in the browser as raw json. Nuxt is not being loaded to handle the response. I haven't setup any $axios data call in the component using asyncdata or fetch yet.
Here's the sample response that i see in the browser
{"email":"sample#example.com","account":"123445667777"}
I'm not sure what the issue is?

Express wont match url to route when coming from remote server

I'm setting up a site that posts to a remote server. The user performs some steps on this remote server and when the user is done. The server issues a get request with a bunch of query parameters to my server.
The thing is that this request never arrives at the controller method it is supposed to.
I have a custom middleware that intercepts all requests and i am doing some logging in there, i can see there every time this request arrives to my server but express doesn't seem to match it to the controller.
However if i go into my browser and do the request from there with the exact same path and query string it works fine.
I thought maybe the remote server was using a proxy so i enabled trust proxy in express but that didn't make any difference.
I have tried changing the route path and that didn't make a difference.
I don't know what code would be helpful since it is pretty standard express code. I have tried putting the route before all the middleware and the request still bypassed the controller and was logged by my logging middleware.
I'm completely baffled, anyone got any idea what could be causing this?
EDIT:
Here is some of the code I'm using. This is not the exact setup I'm trying but I have tried to make it work this way to rule out my routing logic and this example has the exact same problem. I tried putting the app.get above the middleware and the request from the external server still bypassed the app.get and went directly to the middleware.
app.use(function(req, res, next) {
console.log('path', req.method, req.path, req.query);
});
app.get('/payments/success', function (req, res) {
console.log('SUCCESS', req.query);
res.status(200).send();
});
Here is the result of the middleware logging a request arriving from the remote server(i removed the variables logged from the request query because it is sensitive information, they are returned just the way they are supposed to):
path GET /payment/success {
variable: 'variable",
}
If anyone needs any more information from the request object i will provide it.

NodeJS - Not being able to access the route I want

I'm having some troubles getting to a route I got. The route works on http://localhost:3000/me and shows info but on http://localhost:3000/!#/me it doenst show anything. The purpose of said route is to show the logged persons' profile.
On my server routes I got:
app.get('/me', users.me);
The users.me function is as follows:
exports.me = function(req, res) {
res.jsonp(req.user);
};
The console states it expected a object and got an array, I can understand that since I'm getting a json, but how can I send the own user back to the front-end so it shows his/her profile?
Edit: I managed to solve my problem, since I use passportjs I can get the user id from the session. Since I already had a route for a user by id, I simply had to redirect to said route. Like this: req.redirect('users/'+ req.session.passport.user);. Since I already had a /users/:userId route working it completely solved my issue.
Edit2: Apparently there are several ways to get the user id. Try to console.log the request and you will see what I mean :)
/me and /!#/me are not the same route . The later won't match get('
/me',..)
the hash fragment #/me will not send to the server, you cannot capture that by server side routers(without force the page refresh by client code). But you can manage that by client-code.

Resources