Develop Reference

Express 4, matching req.path with URL param

I made a custom middleware for Express router that allows me to whitelist certain endpoints of my API to be excluded from authentication. However I have a route where I depend on URL parameter and I can't get my middleware to work as intended with it. Apparently :profileId doesn't do anything and my API endpoint still requires authentication.
The reason I need that path to be excluded from authentication is because of my React frontend that should display that data to the public (without people registering and logging in). Any tips how to solve this?
const apiAuth = (req, res, next) => {
let authRequired = true;
if (
req.path == "/api/users/register" ||
req.path == "/api/users/login" ||
req.path == "/api/profiles/:profileId"
) {
authRequired = false;
}
if (authRequired == true) {
// Auth check logic
}
}

There's a few better approaches for handling the requirement of middleware, that are generally used over the method you're suggesting:
Only include your authentication middleware on routes you require it:
const authenticationMiddleware = (req, res, next) => {
// your login check logic
}
router.get('/api/users/me', authenticationMiddleware, (req, res, next) => {
// your route logic, this endpoint now requires you to be logged in, as you have specified your authentication middleware in the declaration,
})
router.get('/api/profiles/:profileId', (req, res, next) => {
// your route logic, this endpoint does not require you to be logged in as you have not put the middleware in the route delcaration
})
Or, add the authentication middleware based on where your routes are called:
router.get('/api/profiles/:profileId', (req, res, next) => {
// your route logic, this endpoint does not require you to be logged as we have not told our router to use the middleware yet
})
router.use(authenticationMiddleware)
router.get('/api/users/me', (req, res, next) => {
// your route logic, this endpoint now requires you to be logged in, as the router has been told to use the middleware at this point.
})
Why these methods? Try and think of all the router or app calls you're making as adding to a stack which express uses to handle calls to your site or API. As it works its way through looks for routes it will call any middlewares it finds on its way.
This solves the issue of having to declare a list or array of routes which do or don't require a particular piece of authentication, etc.
You'll also need to make sure to call next() in your middleware if you want it to work, as this tells express to continue going through all the routes/middleware's it has.

express-jwt middleware uses full paths instead of subpaths when used with express routers

I am using Node/Express.js to build an API. The API is present in the /api prefix if the prefix is not set, then Express server will return a Vue JS frontend. So basically I want express-jwt to get used as a middleware only when the /api prefix is set. For that reason I am using express router by doing app.use('/api, router).
And in the router file, I am using the express.jwt with unless syntax, to prevent any unauthorized access.
I also made the choice to implement express-jwt in the router file because I don't want to add /api/somepath in the express-jwt.unless, instead, I would like it to use /somepath and consider it as /api/somepath because I am using it with the router.
My router file:
const router = require('express').Router()
const routeController = require('./routeController')
const ejwt = require('express-jwt')
const config = require('../config/config')
// Protected Routes
// Protect Routes
router.use(
ejwt({
secret: config.APP_SECRET,
getToken: req => {
const { token } = req.body
if (token) return token
return null
}
}).unless({
path: ['/', '/auth/generateToken']
})
)
router.use(function(err, req, res, next) {
if (err.name === 'UnauthorizedError') {
res.status(401).send({
status: false,
message: 'Access Forbidden'
})
} else {
next()
}
})
This didn't work for me. Whenever I try to access the frontend with /, the express-jwt middleware gets triggered and I can't even access my frontend. I can get this working If I also provide it all of my frontend routes as well. Which is not an all a good idea because the frontend has a lot of paths.
In short, I want the middleware to only check for the token if the path has /api prefix set. Thanks in Advance :)

How to apply instance of use() to all routes except those handed by app.use(express.static("dist"))?

I think I have resolved this issue in the process of writing it, basically the solution seems to be:
Move the static file handler above the other instance of use()
Confirmation that this is an acceptable approach would be appreciated though and perhaps help others in a similar scenario.
Desired Behaviour
Apply a use() instance to all routes except those handled by:
app.use(express.static("dist"));
Actual Behaviour
use() is being applied to all routes, including those handled by:
app.use(express.static("dist"));
Scenario
For securing access to API's, I am using the model described in this Lynda.com tutorial:
Node.js: Securing RESTful APIs
In pseudo code, the model is essentially comprised of:
a global use() instance that checks if a jwt token has been sent
if a token has been sent, if verifies the token
it sets the req.user property to undefined if verification fails or a token wasn't sent
otherwise, it sets the req.user property to the decoded jwt value if verification succeeds
subsequent middleware performs conditional behaviour based on the value of req.user
This model is working well for all intents and purposes.
However, I recently added some console logging and can see that verification is being performed for both:
api requests (desired behaviour)
static files served via app.use(express.static("dist")) per this convention (undesired behaviour)
Question
How can I apply the verification use() instance to all routes, except those handled by app.use(express.static("dist")).
What I've Tried
I think I have resolved this issue by moving section 2 of the code below above section 1.
// 01. verification use() called on all requests
app.use((req, res, next) => {
// if jwt authorisation has been sent in headers, verify it
if (req.headers && req.headers.authorization && req.headers.authorization.split(' ')[0] === 'JWT') {
console.log("jwt verification sent, verifying...");
try {
// this is synchronous as it has no callback
req.user = jsonwebtoken.verify(req.headers.authorization.split(' ')[1], 'RESTFULAPIs');
console.log("jwt verified, will return decoded value");
} catch (err) {
req.user = undefined;
console.log("jwt verification failed, user will remain undefined: " + err);
}
// move to the next piece of middleware
next();
}
// if jwt authorisation has not been sent in headers
else {
console.log("jwt verification not sent, leaving user as undefined");
console.log(req.originalUrl);
req.user = undefined;
// move to the next piece of middleware
next();
}
});
// 02. use() for serving static files
app.use(express.static("dist"));
// 03. middleware to check if login has been verified
const api_login_required = (req, res, next) => {
// if token verification was successful and the user property exists
if (req.user) {
// move to the next piece of middleware
next();
}
// otherwise, return unauthorised user message
else {
res.json({ verification: 0 });
}
}
// 04. middleware called in route handlers
app.route("/api/:api_version/users/private_data")
.get(api_login_required, api_users_private_data_get)
.post(api_login_required, api_users_private_data_post);

Middleware always controls the flow from to button in which order they wrote. Like
if (example 1)code like
app.use((req,res, next)=>{// middleware 1; next()} )
app.get('/rot1', (req, res)=> res.status(200).send('route 1'));
app.get('/rot2', (req, res)=> res.status(200).send('route 2'));
In this case, middleware appears in both route1, route because of middleware set at the top of the route.
If (example 2)code like
app.use((req,res, next)=>{// middleware 1; next()} )
app.get('/rot1', (req, res)=> res.status(200).send('route 1'));
app.use((req,res, next)=>{// middleware 2; next()} )
app.get('/rot2', (req, res)=> res.status(200).send('route 2'));
Here middleware1 applied in both route1 and route 2
But middleware2 applied only on route2.
But you can also define specific middleware for each route
function middleware1(req, res, next){
next();
}
function middleware2(req, res, next){
next();
}
app.get('/rot1', middleware1, (req, res)=> res.status(200).send('route 1'));
app.get('/rot2', middleware2, (req, res)=> res.status(200).send('route 2'));
Here middleware1 only applied on route1 and middleware2 only applied on route2.
Maybe above explanation help you!!

In REST API, How to restrict URL access from browser using Nodejs & Expressjs

I have a MEAN stack application and using Node.js and Express.js as back-end API.
Assuming I have a 'comments' route as follow
/* GET /comments listing. */
router.get("/", function(req, res, next) {
Comment.find(function(err, comments) {
if (err) return next(err);
res.json(comments);
});
});
And use it in my server like this:
var commentsRouter = require('./routes/comments');
...
app.use('/comments', commentsRouter);
My question is: Is there a way to prevent users to access http://mrUrl/comments in browser and deny the request with probably 403 Forbidden message but at the same time JavaScript file tries to access the same URL will receive a content message (in the example should be res.json(comments);)
Also, would it be possible to enable such a restriction for all routes once, not for each.

Yes, you can use a middleware.
A middleware is a function you can pass before or after the main function you are executing (in this case, GET comments)
the order of the function location matters, what comes first - executes first, and you implement it like so:
app.use(myBrowsingRestrictionMiddlewareFunction) // Runs
app.use('/comments', commentsRouter);
app.use('/account', accountRouter);
You can also use within a route handler:
app.post('/comments', myMakeSureDataIsAlrightFunction, myMainCreateCommentFunction, myAfterStatusWasSentToClientAndIWishToMakeAnotherInternalActionMiddleware);
The properties req, res, next are passed into the function automatically.
which means, myBrowsingRestrictionMiddlewareFunction receives them and you can use them like so:
export function myBrowsingRestrictionMiddlewareFunction(req, res, next) {
if (req.headers['my-special-header']) {
// custom header exists, then call next() to pass to the next function
next();
} else {
res.sendStatus(403);
}
}
EDIT
Expanding regards to where to place the middleware in the FS structure (personal suggestion):
What I like to do is to separate the router from app.js like so:
app.js
app.use('/', mainRouter);
router.js
const router = express.Router();
router.use(middlewareForAllRoutes);
router.use('/comments', commentsRouter);
router.use(middlewareForOnlyAnyRouteBelow);
router.use('/account', accountRouter);
router.use(middlewareThatWillBeFiredLast); // To activate this, remember to call next(); on the last function handler in your route.
commentsRouter.js
const router = express.Router();
router.use(middlewareForAllRoutesONLYFORWithinAccountRoute);
route.get('/', middlewareOnlyForGETAccountRoute, getAccountFunction);
router.post('/', createAccount);

NodeJS / Express: what is "app.use"?

In the docs for the NodeJS express module, the example code has app.use(...).
What is the use function and where is it defined?

The app object is instantiated on creation of the Express server. It has a middleware stack that can be customized in app.configure()(this is now deprecated in version 4.x).
To setup your middleware, you can invoke app.use(<specific_middleware_layer_here>) for every middleware layer that you want to add (it can be generic to all paths, or triggered only on specific path(s) your server handles), and it will add onto your Express middleware stack. Middleware layers can be added one by one in multiple invocations of use, or even all at once in series with one invocation.
See use documentation for more details.
To give an example for conceptual understanding of Express Middleware, here is what my app middleware stack (app.stack) looks like when logging my app object to the console as JSON:
stack:
[ { route: '', handle: [Function] },
{ route: '', handle: [Function: static] },
{ route: '', handle: [Function: bodyParser] },
{ route: '', handle: [Function: cookieParser] },
{ route: '', handle: [Function: session] },
{ route: '', handle: [Function: methodOverride] },
{ route: '', handle: [Function] },
{ route: '', handle: [Function] } ]
As you might be able to deduce, I called app.use(express.bodyParser()), app.use(express.cookieParser()), etc, which added these express middleware 'layers' to the middleware stack. Notice that the routes are blank, meaning that when I added those middleware layers I specified that they be triggered on any route. If I added a custom middleware layer that only triggered on the path /user/:id that would be reflected as a string in the route field of that middleware layer object in the stack printout above.
Each layer is essentially adding a function that specifically handles something to your flow through the middleware.
E.g. by adding bodyParser, you're ensuring your server handles incoming requests through the express middleware. So, now parsing the body of incoming requests is part of the procedure that your middleware takes when handling incoming requests -- all because you called app.use(bodyParser).

Each app.use(middleware) is called every time a request is sent to the server.

use is a method to configure the middleware used by the routes of the Express HTTP server object. The method is defined as part of Connect that Express is based upon.
Update Starting with version 4.x, Express no longer depends on Connect.
The middleware functions that were previously included with Express are now in separate modules; see the list of middleware functions.

app.use() acts as a middleware in express apps. Unlike app.get() and app.post() or so, you actually can use app.use() without specifying the request URL. In such a case what it does is, it gets executed every time no matter what URL's been hit.

app.use() used to Mounts the middleware function or mount to a specified path,the middleware function is executed when the base path matches.
For example:
if you are using app.use() in indexRouter.js , like this:
//indexRouter.js
var adsRouter = require('./adsRouter.js');
module.exports = function(app) {
app.use('/ads', adsRouter);
}
In the above code app.use() mount the path on '/ads' to adsRouter.js.
Now in adsRouter.js
// adsRouter.js
var router = require('express').Router();
var controllerIndex = require('../controller/index');
router.post('/show', controllerIndex.ads.showAd);
module.exports = router;
in adsRouter.js, the path will be like this for ads- '/ads/show', and then it will work according to controllerIndex.ads.showAd().
app.use([path],callback,[callback]) :
we can add a callback on the same.
app.use('/test', function(req, res, next) {
// write your callback code here.
});

app.use() handles all the middleware functions.
What is middleware?
Middlewares are the functions which work like a door between two all the routes.
For instance:
app.use((req, res, next) => {
console.log("middleware ran");
next();
});
app.get("/", (req, res) => {
console.log("Home route");
});
When you visit / route in your console the two message will be printed. The first message will be from middleware function. If there is no next() function passed then only middleware function runs and other routes are blocked.

app.use(function middleware1(req, res, next){
// middleware1 logic
}, function middleware2(req, res, next){
// middleware2 logic
}, ... middlewareN);
app.use is a way to register middleware or chain of middlewares (or multiple middlewares) before executing any end route logic or intermediary route logic depending upon order of middleware registration sequence.
Middleware: forms chain of functions/middleware-functions with 3 parameters req, res, and next. next is callback which refer to next middleware-function in chain and in case of last middleware-function of chain next points to first-middleware-function of next registered middlerare-chain.

app.use() works like that:
Request event trigered on node http server instance.
express
does some of its inner manipulation with req object.
This is when
express starts doing things you specified with app.use
which very simple.
And only then express will do the rest of the stuff like routing.

The .use() method in express is a *middleware handler. An Express application is essentially a series of middleware function calls.
An Express application can use 5 different types of middleware, of which these two are majorly used:
Application-level middleware
Router-level middleware
App.use() is used to bind *application-level middleware to an instance of the app object which is instantiated on the creation of the Express server (router.use() for router-level middleware).
Syntax : app.use(path, middleware function/s)
Here, the path is optional. When no path is specified the function gets executed every time the app receives a request, irrespective of which URL has been hit.
*Example:
Auth middleware - In a To-Do app, once an already created user logs in, he is provided with a JWT token, which must be verified every time the user makes a GET, PUT, PATCH, POST or DELETE request.
app.use("/api/*", verifyToken(req, res, next): void {
const jwt: string = req.headers['x-token-header'];
if (!jwt) {
res.status(403).send({ message: 'No token provided!' });
} else {
jsonwebtoken.verify(jwt, config.get('secretString'), (err) => {
if (err) {
res.status(403).send(err);
} else {
next();
}
});
});
Here, the path /api has been added to differentiate from requests that do not need a JWT authentication such as sign up and log in (since we don't want the middleware to be executed when there's no need for authentication).
*Middleware functions are functions that have access to the request object (req), the response object (res), and the next middleware function in the application’s request-response cycle. The next middleware function is commonly denoted by a variable named next.
Syntax of a middleware: function(req, res, next)

In express if we
import express from "express"
and use app = express();
then app having all functionality of express
if we use app.use()
with any module/middleware function to use in whole express project

app.use is woks as middleware for app request.
syntax
app.use('pass request format',function which contain request response onject)
example
app.use('/',funtion(req,res){
console.log(all request pass through it);
// here u can check your authentication and other activities.
})
also you can use it in case of routing your request.
app.use('/', roting_object);

app.use is a function requires middleware. For example:
app.use('/user/:id', function (req, res, next) {
console.log('Request Type:', req.method);
next();
});
This example shows the middleware function installed in the /user/:id path. This function is executed for any type of HTTP request in the /user/:id path.
It is similar to the REST Web Server, just use different /xx to represent different actions.

app.use() is a method that allows us to register a middleware.
The middleware method is like an interceptor in java, this method always executes for all requests.
Purpose and use of middleware:-
To check if the session expired or not
for user authentication and authorization
check for cookie (expiry date)
parse data before the response

Middleware is a general term for software that serves to "glue together" so
app.use is a method to configure the middleware, for example: to parse and handle the body of request:
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
there are many middlewares you can use in your express application
just read the doc :
http://expressjs.com/en/guide/using-middleware.html

app.use applies the specified middleware to the main app middleware stack. When attaching middleware to the main app stack, the order of attachment matters; if you attach middleware A before middleware B, middleware A will always execute first. You can specify a path for which a particular middleware is applicable. In the below example, “hello world” will always be logged before “happy holidays.”
const express = require('express')
const app = express()
app.use(function(req, res, next) {
console.log('hello world')
next()
})
app.use(function(req, res, next) {
console.log('happy holidays')
next()
})

It enables you to use any middleware (read more) like body_parser,CORS etc. Middleware can make changes to request and response objects. It can also execute a piece of code.

You can also create your own middleware function like
app.use( function(req, res, next) {
// your code
next();
})
It contains three parameters req, res, next
You can also use it for authentication and validation of input params to keep your
controller clean.
next() is used for go to next middleware or route.
You can send the response from middleware

app.use is Application level middleware
Bind application-level middleware to an instance of the app object by using the app.use() and app.METHOD() functions, where METHOD is the HTTP method of the request that the middleware function handles (such as GET, PUT, or POST) in lowercase.
you can use to check all requests, for example, you want to check token/access token you need to write a middleware by using app.use to check the token in the request.
This example shows a middleware function with no mount path. The function is executed every time the app receives a request.
var app = express()
app.use(function (req, res, next) {
console.log('Time:', Date.now())
next()
})
reference from https://expressjs.com/en/guide/using-middleware.html

app.use(path, middleware) is used to call middleware function that needs to be called before the route is hit for the corresponding path. Multiple middleware functions can be invoked via an app.use.
app.use(‘/fetch’, enforceAuthentication) -> enforceAuthentication middleware fn will be called when a request starting with ‘/fetch’ is received. It can be /fetch/users, /fetch/ids/{id}, etc
Some middleware functions might have to be called irrespective of the request. For such cases, a path is not specified, and since the the path defaults to / and every request starts with /, this middleware function will be called for all requests.
app.use(() => { // Initialize a common service })
next() fn needs to be called within each middleware function when multiple middleware functions are passed to app.use, else the next middleware function won’t be called.
reference : http://expressjs.com/en/api.html#app.use
Note: The documentation says we can bypass middleware functions following the current one by calling next('route') within the current middleware function, but this technique didn't work for me within app.use but did work with app.METHOD like below. So, fn1 and fn2 were called but not fn3.
app.get('/fetch', function fn1(req, res, next) {
console.log("First middleware function called");
next();
},
function fn2(req, res, next) {
console.log("Second middleware function called");
next("route");
},
function fn3(req, res, next) {
console.log("Third middleware function will not be called");
next();
})

app.use(req, res, next) is an API that allows us to add one or more middlewares to the request pipeline of express. A middleware is a function that has a defined signature, and through that, you can modify or end the request, returning a response according to a condition that you program. For example, I can call res.end() and finish the request to the client. Middlewares are executed in the order they're added. I can simply decorate the req object, adding or removing properties, for example, authenticating an user and setting req.user = 'any user of database', and calling next(), the next middleware will begin its execution, receiving the same instance of req, res, next.

Bind application-level middleware to an instance of the app object by using the app.use() and app.METHOD() functions, where METHOD is the HTTP method of the request that the middleware function handles (such as GET, PUT, or POST) in lowercase.

In short app.use() supports all type of requests [eg:get,post,...]
so its mostly used to setup middelware.
or can be used for when the routes and functions seperated
example:
app.use("/test",functionName)
and functionName is located in different file

app.use
is created by express(nodejs middleware framework )
app.use is use to execute any specific query at intilization process
server.js(node)
var app = require('express');
app.use(bodyparser.json())
so the basically app.use function called every time when server up

You can use app.use('/apis/test', () => {...}) for writing middleware for your api, to handle one or some action (authentication, validation data, validation tokens, etc) before it can go any further or response with specific status code when the condition that you gave was not qualified.
Example:
var express = require('express')
var app = express()
app.use(function (req, res, next) {
// Your code to handle data here
next()
})
More detail is, this part actually an anonymous function for you to write the logic on runtime
function (req, res, next) {
// Your code to handle data here
next()
}
You can split it into another function from another file and using module.export to use
next() here for the logic that if you handle everything is fine then you can use then for the program to continue the logic that its used to.

The app.use() function is used to mount the specified middleware function(s) at the path which is being specified. It is mostly used to set up middleware for your application.
Syntax
app.use(path, callback)
Parameters:
path: It is the path for which the middleware function is being called. It can be a string representing a path or path pattern or regular expression pattern to match the paths.
callback: It is a middleware function or a series/array of middleware functions.

In simple words app.use() is a function that takes another function (callback) as a parameter and runs every time, when the request is sent to the express app/server.
The function passed inside app.use is also called middleware, middleware is just a fancy name for a function that exists in express app and has three parameters request, response and next. You can read more about middleware.
Middleware are called between request and response cycle. If you want a middleware to be applied on all the routes then you can use app.use() or do some validation, error checking and other things.

app.use() will be called for every request: GET, POST, PUT, PATCH, DELETE

Let's say we have a set of routes that our site can handle
app.get('/1/', function(req, res) {
res.send('page1');
});
app.get('/2/', function(req, res) {
res.send('page2');
});
Obviously, if an address is requested that we do not process, then a 404 error should be returned. Express, however, does not do this by default. But it's easy to implement.
The special method app.use will help us with this. It allows you to intercept all raw addresses
Let's use this method to return a 404 error
app.use(function(req, res) {
res.status(404).send('not found');
});
Now let's place our construction after all app.get
app.get('/1/', function(req, res) {
res.send('page1');
});
app.get('/2/', function(req, res) {
res.send('page2');
});
app.use(function(req, res) {
res.status(404).send('not found');
});

As the name suggests, it acts as a middleware in your routing.
Let's say for any single route, you want to call multiple url or perform multiple functions internally before sending the response.
you can use this middleware and pass your route and perform all internal operations.
syntax:
app.use( function(req, res, next) {
// code
next();
})
next is optional, you can use to pass the result using this parameter to the next function.

app.use() is the application middleware.
Bind application-level middleware to an instance of the app object by using the app. use() and app. METHOD() functions, where METHOD is the HTTP method of the request that the middleware function handles (such as GET, PUT, or POST)
var express = require('express');
var app = express();
var PORT = 3000;
// This middleware will not allow the
// request to go beyond it
app.use(function (req, res, next) {
console.log("Middleware called")
next();
});
// Requests will never reach this route
app.get('/user', function (req, res) {
console.log("/user request called");
res.send('Hello test');
});
app.listen(PORT, function(err){
if (err) console.log(err);
console.log("Server listening on PORT", PORT);
});