im doing nessus testing on my express app
and here what i get
Based on tests of each method :
HTTP methods ACL CHECKOUT COPY DELETE GET HEAD LOCK MERGE
MKACTIVITY MKCOL MOVE NOTIFY OPTIONS PATCH POST PROPFIND
PROPPATCH PUT REPORT SEARCH SUBSCRIBE TRACE UNLOCK UNSUBSCRIBE
are allowed on :
/
/login
/styles
i done some search and actually end up here.
disable HTTP methods, TRACK TRACE etc
the solution
const allowedMethods = ['GET','HEAD','POST'];
function onrequest(req, res) {
if (!allowedMethods.includes(req.method))
return res.end(405, 'Method Not Allowed');
// ...
}
however i do not understand how to use the solution,
#kiksy comment that: This method would sit in your front controller. eg from here: expressjs.com/en/starter/hello-world.html You would add it to line 3
but line 3 was "const port = 3000"
it makes me confused
could someone help me on that
FYI, i could not comment becoz i dont have 50 rep
The comment is essentially saying that you can add this to any of your routes and you're checking the incoming method from each request to see if it is one of the whitelisted HTTP methods, and if not, you're going to return a 405 to let the user know that the method they've tried to hit is unsupported.
You could use a middleware to blanket this for all requests.
const allowedMethods = ['GET', 'HEAD', 'POST']
app.use((req, res, next) => {
if (!allowedMethods.includes(req.method)) return res.end(405, 'Method Not Allowed')
return next()
})
Related
when i try to delete data by this code its not working
router.delete('/delete-screen/:id',(req,res)=>{
let proId=req.params.id
console.log(proId)
theaterHelpers.deleteOwner(proId).then((response)=>{
res.redirect('/theater/screens')
})
})
but using this code it working
router.get('/delete-screen/:id',(req,res)=>{
let proId=req.params.id
console.log(proId)
theaterHelpers.deleteOwner(proId).then((response)=>{
res.redirect('/theater/screens')
})
})
what i done is replace delete to get, My question is how can make a http delete request in my code
my delete function code is
deleteScreen:(screenId)=>{
return new Promise((resolve,reject)=>{
db.get().collection(collection.SCREEN_COLLECTION).removeOne({_id:ObjectID(screenId)}).then((response)=>{
console.log(response)
resolve(response)
})
})
}
If you're using a server-rendered application, then you can only issue GET and POST requests. The only way to trigger a delete route handler is to trick your application into thinking the incoming request actually has DELETE semantics. You can do this by modifying the request.method property before the request is actually handed to the router.
There are a number of ways to achieve this, and the method-override package has got you covered.
For instance, the following setup would update request.property for incoming GET requests to the value provided with the _method query parameter.
var methodOverride = require('method-override')
app.use(methodOverride("_method", { methods: ["GET"] }))
Then, accordingly add a _method query parameter with the DELETE value to the url you want to use to trigger you delete route handler.
yourUrl?_method=DELETE
https://www.npmjs.com/package/method-override
Нello! I am looking to call a function which has been passed to an expressRouter.post(...) call.
This expressRouter.post(...) call is occurring in a file which I am unable to modify. The code has already been distributed to many clients and there is no procedure for me to modify their versions of the file. While I have no ability to update this file for remote clients, other developers are able to. I therefore face the issue of this POST endpoint's behaviour changing in the future.
I am also dealing with performance concerns. This POST endpoint expects req.body to be a parsed JSON object, and that JSON object can be excessively large.
My goal is to write a GET endpoint which internally activates this POST endpoint. The GET endpoint will need to call the POST endpoint with a very large JSON value, which has had URL query params inserted into it. The GET's functionality should always mirror the POST's functionality, including if the POST's functionality is updated in the future. For this reason I cannot copy/paste the POST's logic. Note also that the JSON format will never change.
I understand that the issue of calling an expressjs endpoint internally has conventionally been solved by either 1) extracting the router function into an accessible scope, or 2) generating an HTTP request to localhost.
Unfortunately in my case neither of these options are viable:
I can't move the function into an accessible scope as I can't modify the source, nor can I copy-paste the function as the original version may change
Avoiding the HTTP request is a high priority due to performance considerations. The HTTP request will require serializing+deserializing an excessively large JSON body, re-visiting a number of authentication middlewares (which require waiting for further HTTP requests + database queries to complete), etc
Here is my (contrived) POST endpoint:
expressRouter.post('/my/post/endpoint', (req, res) => {
if (!req.body.hasOwnProperty('val'))
return res.status(400).send('Missing "val"');
return res.status(200).send(`Your val: ${req.body.val}`);
});
If I make a POST request to localhost:<port>/my/post/endpoint I get the expected error or response based on whether I included "val" in the JSON body.
Now, I want to have exactly the same functionality available, but via GET, and with "val" supplied in the URL instead of in any JSON body. I have attempted the following:
expressRouter.get('/my/get/endpoint/:val', (req, res) => {
// Make it seem as if "val" occurred inside the JSON body
let fakeReq = {
body: {
val: req.params.val
}
};
// Now call the POST endpoint
// Pass the fake request, and the real response
// This should enable the POST endpoint to write data to the
// response, and it will seem like THIS endpoint wrote to the
// response.
manuallyCallExpressEndpoint(expressRouter, 'POST', '/my/post/endpoint', fakeReq, res);
});
Unfortunately I don't know how to implement manuallyCallExpressEndpoint.
Is there a solution to this problem which excludes both extracting the function into an accessible scope, and generating an HTTP request?
This seems possible, but it may make more sense to modify req and pass it, rather than create a whole new fakeReq object. The thing which enables this looks to be the router.handle(req, res, next) function. I'm not sure this is the smartest way to go about this, but it will certainly avoid the large overhead of a separate http request!
app.get('/my/get/endpoint/:val', (req, res) => {
// Modify `req`, don't create a whole new `fakeReq`
req.body = {
val: req.params.val
};
manuallyCallExpressEndpoint(app, 'POST', '/my/post/endpoint', req, res);
});
let manuallyCallExpressEndpoint = (router, method, url, req, res) => {
req.method = method;
req.url = url;
router.handle(req, res, () => {});
};
How about a simple middleware?
function checkVal(req, res, next) {
const val = req.params.val || req.body.val
if (!val) {
return res.status(400).send('Missing "val"');
}
return res.status(200).send(`Your val: ${val}`);
}
app.get('/my/get/endpoint/:val', checkVal)
app.post('/my/post/endpoint', checkVal)
This code isn't tested but gives you rough idea on how you can have the same code run in both places.
The checkVal function serves as a Express handler, with request, response and next. It checks for params first then the body.
I'm building rest end point server (nodejs and restify).
I need to support the same route for two type of client's requests , one for GET and the other for POST.
Currently I solved it by this way :
server.get('/foo' , _ProcessRequest);
server.post('/foo' , _ProcessRequest);
function _ProcessRequest(req, res , next){...}
But I was wondering if there another way to support this type of request
Thanks
Personally the way you have your route structured I find to be the cleanest without use Router Middleware to abstract away the .get() and .post() calls. Since your question asks for other ways to do this here are others ways that you could structure your Route handlers to achieve the same funcitonality.
One way is to structure your routes would be to use router.route() and then specify a handler for each HTTP Method.
server.route('/foo')
.get(_ProcessRequest)
.post(_ProcessRequest)
Alternatively you could modify _ProcessRequest to have a condition that checks req.method with a more middleware style handler using next() to short circuit requests to /foo that aren't a GET or POST.
server.use('/foo', _ProcessRequest)
function _ProcessRequest(req, res, next) {
// If not either a GET or a POST then continue to next handler
if (req.method !== 'GET' && req.method !== 'POST') {
return next()
}
// Request is a HTTP GET or POST so perform logic
}
I have 2 routes set up for my express server that look very close to each other. They are basically the same url, except one is post and one is get, and the get has an extra route param (which is optional). Right now these seem to work ok, however if I do not add the optional param to the get call, it thinks I'm trying to hit the post. I would like to be able to hit the get call without the passing the second optional param as well. Let me show you what I have so far:
router.param('itemID', (req, res, next, itemID) => {
verbose("itemID=", itemID);
next();
});
router.param('navigationType', (req, res, next, navigationType) => {
if (!navigationType) {
next();
}
verbose("navigationType=", navigationType);
next();
});
router.route('/:itemID/navigations')
.post(controllers.addActivity)
.all(routes.send405.bind(null, ['POST']));
router.route('/:itemID/navigations/:navigationType')
.get(controllers.listActivities)
.all(routes.send405.bind(null, ['GET']));
The routed.send405 method looks like this :
function send405(methods, req, res) {
res.set('Allow', methods.join(','));
res.status(405).json({
message: `Method '${req.method}' Not Allowed.`
});
}
So right now the issue is if I do a get on /blah123/navigations and don't add the /:navigationType variable, it thinks I am trying to hit the post method. I am very new to working with this and would appreciate any help or insight. Thanks!
When you declare a route, say GET /admins/:id, it will match any requests to GET /admins/1 or GET /admins/john. But when you do just GET /admins, it wouldn't be able to find because you haven't declared GET route matching that pattern.
To work with this, you have to specify navigationType is an optional parameter and also place the GET request first followed by the POST, like this.
router.route('/:itemID/navigations/:navigationType?')
.get(controllers.listActivities)
.all(routes.send405.bind(null, ['GET']));
router.route('/:itemID/navigations')
.post(controllers.addActivity)
.all(routes.send405.bind(null, ['POST']));
I am trying to use Express js with .ejs views.
I want to redirect my page to some another page on any event let say "onCancelEvent"
As per Express js documentation,I can do this by using res.redirect("/home");
But I am not able to get res object in my ejs file.
Can anyone Please tell me how to access req and res object in .ejs file
Please help.
Thanks
Short Answer
If you want to access the "req/res" in the EJS templates, you can either pass the req/res object to the res.render() in your controller function (the middleware specific for this request):
res.render(viewName, { req : req, res : res /* other models */};
Or set the res.locals in some middleware serving all the requests (including this one):
res.locals.req = req;
res.locals.res = res;
Then you will be able to access the "req/res" in EJS:
<% res.redirect("http://www.stackoverflow.com"); %>
Further Discussion
However, do you really want to use res in the view template to redirect?
If the event initiates some request to the server side, it should go through the controller before the view. So you must be able to detect the condition and send redirect within the controller.
If the event only occurs at client side (browser side) without sending request to server, the redirect can be done by the client side javascript:
window.location = "http://www.stackoverflow.com";
In my opinion: You don't.
It is better to create the logic that determines the need to redirect inside some middleware that happens long before you call res.render()
It is my argument that your EJS file should contain as little logic as possible. Loops and conditionals are ok as long as they are limited. But all other logic should be placed in middleware.
function myFn( req, res, next) {
// Redirect if something has happened
if (something) {
res.redirect('someurl');
}
// Otherwise move on to the next middleware
next();
}
Or:
function myFn( req, res, next) {
var options = {
// Fill this in with your needed options
};
// Redirect if something has happened
if (something) {
res.redirect('someurl');
} else {
// Otherwise render the page
res.render('myPage', options);
}
}