Express: req.params vs req.body (JSON) - node.js

Which is more correct, and why? Does it depend on the scenario? Is there a standard?
router.post("/user", function(req, res) {
let thisUserId = req.body.userId;
});
router.post("/user/:userId", function(req, res) {
let thisUserId = req.params.userId;
}
Thanks!

This question is more about RESTful API conventions than node or express. Based on generally accepted REST conventions, this is basic CRUD operation:
/* fetch all users */
GET /users
/* fetch specific user */
GET /users/:userId
/* create new user */
POST /users
/* edit specific user */
PUT /users/:userId
/* delete specific user */
DELETE /users/:userId
So in your case I would say req.body is more appropriate, considering you want to create a user.
EDIT: another useful resource that supports this case: 10 best practices for better RESTful API.

req.body is used to access actual form data that you 'posted'.
req.params is used for route parameters, in your case userId which is passed in the parameters:
router.post("/user/:userId", function(req, res) {
let thisUserId = req.params.userId;
}
The official docs:
req.body
Contains key-value pairs of data submitted in the request
body. By default, it is undefined, and is populated when you use
body-parsing middleware such as body-parser and multer.
Link to req.body docs
req.params
This property is an object containing properties mapped to
the named route “parameters”. For example, if you have the route
/user/:name, then the “name” property is available as req.params.name.
This object defaults to {}.
Link to req.params docs
If you want to implement guards or any other logic in your route that relies on that id (of an existing user), you pass the userID in the params.
Let's say you are submitting a form where a new user registers.. You don't want to send the credentials in the parameters since it's confidential data and easily accessible this way. Here it makes sense to put those values in the request-body and use therefore req.body..
As Haris Bouchlis already mentioned in his answer it depends on your CRUD-ops that you like to perform.

In this case I advice to use req.params.userId.
Normal API entries have this standard. To get all the users the path will be '/users'.
To retrieve or update a specific user, the path will be '/users/1'.
API example

Yes there are completely different and used for the different purpose
1.req.params comes from path segments of the URL that match a parameter in the route definition such a /song/:songid. So, with a route using that designation and a URL such as /song/48586, then req.params.songid === "48586".
2.req.body properties come from a form post where the form data (which is submitted in the body contents) has been parsed into properties of the body tag.

Related

How to support optional parameters in restify?

I am using Restify for creating REST APIs. I have created the route in such format /ConfigDetails/:name/:id where name and id are optional.
If none of the two params is given, all configdetails will be fetched;
If name is given, config details for that name will be returned;
If id is given, config details for that id will be returned;
My question is, how do I make them optional? With the current route I've defined, unless all two parameters are present, it will not be able to be resolved and will fall into the default route.
As per my understanding restify don't support '?'
Can anyone help me on this.
I think you can't do this in restify. I have a work around which my work for you.
router.get('/ConfigDetails/:name/:id', handler)
router.get('/ConfigDetails/:name', handler)
router.get('/ConfigDetails', handler)
function handler(req, res, next) {
const {name = '', id = ''} = req.params
// your code here
}
As for REST API best practices, you should not put optional path parameters. It should be either in query params or request body for non GET requests.

Koa-router getting parsed params before hitting route

I'm using koa2 and koa-router together with sequelize on top. I want to be able to control user access based on their roles in the database, and it's been working somewhat so far. I made my own RBAC implementation, but I'm having some trouble.
I need to quit execution BEFORE any endpoint is hit if the user doesn't have access, considering endpoints can do any action (like inserting a new item etc.). This makes perfect sense, I realize I could potentially use transactions with Sequelize, but I find that would add more overhead and deadline is closing in.
My implementation so far looks somewhat like the following:
// initialize.js
initalizeRoutes()
initializeServerMiddleware()
Server middleware is registered after routes.
// function initializeRoutes
app.router = require('koa-router')
app.router.use('*', access_control(app))
require('./routes_init')
routes_init just runs a function which recursively parses a folder and imports all middleware definitions.
// function initializeServerMiddleware
// blah blah bunch of middleware
app.server.use(app.router.routes()).use(app.router.allowedMethods())
This is just regular koa-router.
However, the issue arises in access_control.
I have one file (access_control_definitions.js) where I specify named routes, their respective sequelize model name, and what rules exists for the route. (e.g. what role, if the owner is able to access their own resource...) I calculate whether the requester owns a resource by a route param (e.g. resource ID is ctx.params.id). However, in this implementation, params don't seem to be parsed. I don't think it's right that I have to manually parse the params before koa-router does it. Is anyone able to identify a better way based on this that would solve ctx.params not being filled with the actual named parameter?
edit: I also created a GitHub issue for this, considering it seems to me like there's some funny business going on.
So if you look at router.js
layerChain = matchedLayers.reduce(function(memo, layer) {
memo.push(function(ctx, next) {
ctx.captures = layer.captures(path, ctx.captures);
ctx.params = layer.params(path, ctx.captures, ctx.params);
ctx.routerName = layer.name;
return next();
});
return memo.concat(layer.stack);
}, []);
return compose(layerChain)(ctx, next);
What it does is that for every route function that you have, it add its own capturing layer to generate the params
Now this actually does make sense because you can have two middleware for same url with different parameters
router.use('/abc/:did', (ctx, next) => {
// ctx.router available
console.log('my request came here too', ctx.params.did)
if (next)
next();
});
router.get('/abc/:id', (ctx, next) => {
console.log('my request came here', ctx.params.id)
});
Now for the first handler a parameter id makes no sense and for the second one parameter did doesn't make any sense. Which means these parameters are specific to a handler and only make sense inside the handler. That is why it makes sense to not have the params that you expect to be there. I don't think it is a bug
And since you already found the workaround
const fromRouteId = pathToRegexp(ctx._matchedRoute).exec(ctx.captures[0])
You should use the same. Or a better one might be
var lastMatch = ctx.matched[ctx.matched.length-1];
params = lastMatch.params(ctx.originalUrl, lastMatch.captures(ctx.originalUrl), {})

REST method GET for searching by criteria as json fro mongodb

I have an nodejs server with express and mongoose and I'd like to use method GET for search accoring to criteria which I'd like to provide as JSON object does anyone can help me how to implement it?
Or maybe should I use POST or PUT to make it?
http://hostname/modelname?criteria1=1&criteria2=2
router.route('/modelname')
.get(function (req, res, next) {
req.query.criteria1 === 1 // true
req.query.criteria2 === 2 // true
});
If you are unsure of what HTTP VERB you'd want to use,
POST - is primarily used for creating resources on the server
PUT - is used to update an existing resource
GET- to retrieve a resource
I would use GET in this case
GET http://myhost.com?q=word1+word2+word3+word4
app.get('*', function(req, res) {
// do something with the req.query.q array
});
You've got two options - using HTTP GET params or encoding whole criteria as JSON string and passing that string.
First option, by using params:
?crit[foo.bar][$eq]=abc&crit[foo.baz][$ne]=def
You can read it in nodejs/express via req.query.crit. But this is bad idea because there's no way of retaining data types. For example number 1 becomes string "1". Don't use it - MongoDB is data type sensitive so query {"foo.bar":{$eq:1}} is completely different from {"foo.bar":{$eq:"1"}}
Second option is to urlencode JSON criteria:
?critJSON=%7B%22foo.bar%22%3A%7B%22%24eq%22%3A%20%22abc%22%7D%2C%22foo.baz%22%3A%7B%22%24ne%22%3A%20%22def%22%7D%7D
And parse it on nodejs/express side:
var crit = JSON.parse(req.query.critJSON)
This way your data types are retained and it will work as expected.

Is it ok to work directly on the data in req.body?

I'm working on an app in Node/Express/Jade.
I have a GET route which render a form. When the user submit this, a POST route is handling the request. I use bodyParser, which populate the req.body.
I then sanitize, validate and generate new data directly in the req.body:
// Shorthand variable
var doc = req.body;
// Sanitise and transform user input
doc.company = sanitize( doc.company ).trim();
doc.contact_person = sanitize( doc.contact_person ).trim();
...
// Validate user input
validator.check( doc.company, 'Some error message' ).notEmpty();
validator.check( doc.contact_person, 'Another error message' ).notEmpty();
...
// Generate new object data
doc.slug = sanitize( doc.company ).toSlug();
...
Question: is if there are any special reason for me not to edit the data directly in the req.body? Should I instead making a new "doc" object from the data in req.body, and in that new object sanitize, validate and add the new generated data.
It's fine to edit data in req.body. The only thing you should be aware of is that the next route or middleware will get a modified version of req.body.
So, you may create a single route/middleware to sanitize and transform your req.body and then use transformed results in multiple routes.
You can definitely modify it. For example, the express.json middleware parses raw body data into JSON for the rest of the middleware chain.
It's best to use a copy if your intention isn't to alter data for the rest of the chain, even if it won't interfere with correct operation. It prevents sometimes hard-to-debug errors that might crop up in later development.

how to get URI as parameters in NodeJS

How can i get the URI and use it as params in nodejs. I am using express.
http://localhost:3000/getParams/param1/param2/param3/paramN
I want to get "/param1/param2/param3/paramN".
This is my current code:
app.get("/getParams/:params", test.params);
Thanks!
You can access the full path as one param, or you can access each segment as a separate param. To get as one param:
app.get('/mysvc/:input(*)', function(req, res)
{
console.log(req.params.input);
// ...
});
Notice the route which says everything (regex match of *) after /mysvc/ will be mapped to the input reques param. Then you can reference it via req.params
In this example, a request to /mysvc/foo/bar will output foo/bar
If you want to get each segment as a separate param then:
app.get('/mysvc/:param1/:param2'
access via req.params.param1, req.params.param2, etc...
In express parameters are available in the req object req.params.parameterName so in your case you can access it within the route like this req.params.params.
The params that you can access from the handler depends upon the route definitions. If you route is like
/my/:one/:two/:three
then you can access them as
req.params.one
req.params.two
req.params.three

Resources