Develop Reference

In REST API, How to restrict URL access from browser using Nodejs & Expressjs

I have a MEAN stack application and using Node.js and Express.js as back-end API.
Assuming I have a 'comments' route as follow
/* GET /comments listing. */
router.get("/", function(req, res, next) {
Comment.find(function(err, comments) {
if (err) return next(err);
res.json(comments);
});
});
And use it in my server like this:
var commentsRouter = require('./routes/comments');
...
app.use('/comments', commentsRouter);
My question is: Is there a way to prevent users to access http://mrUrl/comments in browser and deny the request with probably 403 Forbidden message but at the same time JavaScript file tries to access the same URL will receive a content message (in the example should be res.json(comments);)
Also, would it be possible to enable such a restriction for all routes once, not for each.

Yes, you can use a middleware.
A middleware is a function you can pass before or after the main function you are executing (in this case, GET comments)
the order of the function location matters, what comes first - executes first, and you implement it like so:
app.use(myBrowsingRestrictionMiddlewareFunction) // Runs
app.use('/comments', commentsRouter);
app.use('/account', accountRouter);
You can also use within a route handler:
app.post('/comments', myMakeSureDataIsAlrightFunction, myMainCreateCommentFunction, myAfterStatusWasSentToClientAndIWishToMakeAnotherInternalActionMiddleware);
The properties req, res, next are passed into the function automatically.
which means, myBrowsingRestrictionMiddlewareFunction receives them and you can use them like so:
export function myBrowsingRestrictionMiddlewareFunction(req, res, next) {
if (req.headers['my-special-header']) {
// custom header exists, then call next() to pass to the next function
next();
} else {
res.sendStatus(403);
}
}
EDIT
Expanding regards to where to place the middleware in the FS structure (personal suggestion):
What I like to do is to separate the router from app.js like so:
app.js
app.use('/', mainRouter);
router.js
const router = express.Router();
router.use(middlewareForAllRoutes);
router.use('/comments', commentsRouter);
router.use(middlewareForOnlyAnyRouteBelow);
router.use('/account', accountRouter);
router.use(middlewareThatWillBeFiredLast); // To activate this, remember to call next(); on the last function handler in your route.
commentsRouter.js
const router = express.Router();
router.use(middlewareForAllRoutesONLYFORWithinAccountRoute);
route.get('/', middlewareOnlyForGETAccountRoute, getAccountFunction);
router.post('/', createAccount);

Koa2: how to write chain of middleware?

So in express, we can have a chain of middleware, copies an example:
middleware = function(req, res){
res.send('GET request to homepage');
});
app.get('/', middleware, function (req, res) {
res.send('GET request to homepage');
});
What's the equivalent way to write this in koa2 please ?
I'm thinking of using it for the route, for each route i want to have a middleware to check if user is already logged in.
Thanks !

If you're simply interested in making sure a middlware runs for every route, all you have to do is register the middleware before you register your routing middelware.
app.use(middleware);
As long as you call this before you 'use' your router, it will be called for every request. Just make sure you call the next function. This is how your middleware might look like:
function middleware(ctx, next) {
// Authenticate user
// Eventually call this
return next();
}

Node.js Express middleware function without next

In Express middleware, it should be taking 3 parameters: request, response, next.
However, in the 2nd middleware in the code where I copied from a book, but only use request, response. What is the reason here? and is next optional?
var express = require("express");
var http = require("http");
var app = express();
app.use(function(request, response, next) {
console.log("In comes a " + request.method + " to " + request.url);
next();
});
app.use(function(request, response) {
response.writeHead(200, { "Content-Type": "text/plain" });
response.end("Hello, world!");
});
http.createServer(app).listen(3000);

next() is called when you want the routing for this request to continue onto the next middleware or the next route handler for this request. It is common to have more than one middleware that might examine a given request so if you did not send a response and want normal routing to continue for this request, then you would call next() when you were done with your processing and you want routing to continue.
If you have already sent a response and thus do not want routing to continue, then you do not call next().
It is up to you whether you declare the parameter next or not. If you never intend to call it, then you don't need to declare it as a parameter (it is still passed, but you don't have to declare it if you're not going to use it).
So, you can declare your middleware/requeset handler with parameters req and res like this:
app.use("/someRoute", function(req, res) {
res.send("hello");
});
Or, with parameters req, res and next like this:
app.use("/someRoute", function(req, res, next) {
if (req.query.x) {
// don't handle this request here, let some other route
// handler following this handle it
next();
} else {
// send the response, no more route handlers after this
res.send("hello");
}
});
It makes no difference to Express whether you declare the next argument or not. If you plan on using it, then declare it. If you don't plan on using it, then there is no reason to declare it, but it is passed anyway. This is true of all Javascript function arguments. If you don't declare all the arguments as named arguments, it just makes it harder to access them, but they are still there (for completeness, then can still be accessed through the arguments object).
There's also a special case route handler with four arguments (err, req, res, next) which is used for error handling (when next(err) is called), but that's not what your question is about. Express does treat route handlers with four arguments declared differently. It registers them as error handlers.

With express.js there are 4 types of basic handlers.
2 - req, res
3 - req, res, next
4 - err, req, res, next
If you have 2 arguments, express will always assign a req and res to them, no matter what you call them. It's just a calling convention that is widely used by the express community that makes for cleaner, readable and understandable code.

How to exit from a stack of middleware in Express.js

I am working a REST web application backend and I got some problem when linking my middleware together.
For example, the stack of the middlewares that each request has to go through is like [before1, service, after1], and here's the code for the middleware "before1", this is just the code I used for testing:
'use strict';
var express = require('express');
var router = express.Router();
router.use(function(request, response, next){
console.log('This is middleware BEFORE1');
var success = true
if (!success){
// Go the logging middleware underneath
next();
}
else{
// Go to the 'service' middleware
next('route');
}
})
router.use(function(request, response, next){
console.log('This is middleware LOGGING');
response.sendStatus(400);
response.end();
})
module.exports = router;
The above code is simply saying if the 'before1' succeeds, it should go straight to call 'service' middleware, and otherwise go to the logging middleware underneath and end the request. But my problem is that I can't figure out a way that it could skip the logging middleware, I searched and found next('route') could help, but it didn't work here. What have I missed?
Thanks in advance!
EDIT:
Or more preferably, it's the best if I can issue an error in any of my middleware and handle all types of errors properly using a error handler middleware.
The skeleton of my top level code is the following:
// An array of middleware to be executed asynchronously
operations = [before1, service, before2];
async.series(operations, function(err) {
if(err) {
// one of the functions passed back an error so handle it here
console.log('Handling error!!!!');
res.end();
// return next(err);
}
console.log('middleware get executed');
// no errors so pass control back to express
next();
});
But I am not sure How should change my middlewares accordingly in order to do that.

next is a node-style callback, which means fn(err, ..), so your next('route') will only work to invoke errorhandlers.
You can implement your series directly by supplying an array of functions to the route, and using an express error handler as the catch all (see http://expressjs.com/guide/error-handling.html)

NodeJS / Express: what is "app.use"?

In the docs for the NodeJS express module, the example code has app.use(...).
What is the use function and where is it defined?

The app object is instantiated on creation of the Express server. It has a middleware stack that can be customized in app.configure()(this is now deprecated in version 4.x).
To setup your middleware, you can invoke app.use(<specific_middleware_layer_here>) for every middleware layer that you want to add (it can be generic to all paths, or triggered only on specific path(s) your server handles), and it will add onto your Express middleware stack. Middleware layers can be added one by one in multiple invocations of use, or even all at once in series with one invocation.
See use documentation for more details.
To give an example for conceptual understanding of Express Middleware, here is what my app middleware stack (app.stack) looks like when logging my app object to the console as JSON:
stack:
[ { route: '', handle: [Function] },
{ route: '', handle: [Function: static] },
{ route: '', handle: [Function: bodyParser] },
{ route: '', handle: [Function: cookieParser] },
{ route: '', handle: [Function: session] },
{ route: '', handle: [Function: methodOverride] },
{ route: '', handle: [Function] },
{ route: '', handle: [Function] } ]
As you might be able to deduce, I called app.use(express.bodyParser()), app.use(express.cookieParser()), etc, which added these express middleware 'layers' to the middleware stack. Notice that the routes are blank, meaning that when I added those middleware layers I specified that they be triggered on any route. If I added a custom middleware layer that only triggered on the path /user/:id that would be reflected as a string in the route field of that middleware layer object in the stack printout above.
Each layer is essentially adding a function that specifically handles something to your flow through the middleware.
E.g. by adding bodyParser, you're ensuring your server handles incoming requests through the express middleware. So, now parsing the body of incoming requests is part of the procedure that your middleware takes when handling incoming requests -- all because you called app.use(bodyParser).

Each app.use(middleware) is called every time a request is sent to the server.

use is a method to configure the middleware used by the routes of the Express HTTP server object. The method is defined as part of Connect that Express is based upon.
Update Starting with version 4.x, Express no longer depends on Connect.
The middleware functions that were previously included with Express are now in separate modules; see the list of middleware functions.

app.use() acts as a middleware in express apps. Unlike app.get() and app.post() or so, you actually can use app.use() without specifying the request URL. In such a case what it does is, it gets executed every time no matter what URL's been hit.

app.use() used to Mounts the middleware function or mount to a specified path,the middleware function is executed when the base path matches.
For example:
if you are using app.use() in indexRouter.js , like this:
//indexRouter.js
var adsRouter = require('./adsRouter.js');
module.exports = function(app) {
app.use('/ads', adsRouter);
}
In the above code app.use() mount the path on '/ads' to adsRouter.js.
Now in adsRouter.js
// adsRouter.js
var router = require('express').Router();
var controllerIndex = require('../controller/index');
router.post('/show', controllerIndex.ads.showAd);
module.exports = router;
in adsRouter.js, the path will be like this for ads- '/ads/show', and then it will work according to controllerIndex.ads.showAd().
app.use([path],callback,[callback]) :
we can add a callback on the same.
app.use('/test', function(req, res, next) {
// write your callback code here.
});

app.use() handles all the middleware functions.
What is middleware?
Middlewares are the functions which work like a door between two all the routes.
For instance:
app.use((req, res, next) => {
console.log("middleware ran");
next();
});
app.get("/", (req, res) => {
console.log("Home route");
});
When you visit / route in your console the two message will be printed. The first message will be from middleware function. If there is no next() function passed then only middleware function runs and other routes are blocked.

app.use(function middleware1(req, res, next){
// middleware1 logic
}, function middleware2(req, res, next){
// middleware2 logic
}, ... middlewareN);
app.use is a way to register middleware or chain of middlewares (or multiple middlewares) before executing any end route logic or intermediary route logic depending upon order of middleware registration sequence.
Middleware: forms chain of functions/middleware-functions with 3 parameters req, res, and next. next is callback which refer to next middleware-function in chain and in case of last middleware-function of chain next points to first-middleware-function of next registered middlerare-chain.

app.use() works like that:
Request event trigered on node http server instance.
express
does some of its inner manipulation with req object.
This is when
express starts doing things you specified with app.use
which very simple.
And only then express will do the rest of the stuff like routing.

The .use() method in express is a *middleware handler. An Express application is essentially a series of middleware function calls.
An Express application can use 5 different types of middleware, of which these two are majorly used:
Application-level middleware
Router-level middleware
App.use() is used to bind *application-level middleware to an instance of the app object which is instantiated on the creation of the Express server (router.use() for router-level middleware).
Syntax : app.use(path, middleware function/s)
Here, the path is optional. When no path is specified the function gets executed every time the app receives a request, irrespective of which URL has been hit.
*Example:
Auth middleware - In a To-Do app, once an already created user logs in, he is provided with a JWT token, which must be verified every time the user makes a GET, PUT, PATCH, POST or DELETE request.
app.use("/api/*", verifyToken(req, res, next): void {
const jwt: string = req.headers['x-token-header'];
if (!jwt) {
res.status(403).send({ message: 'No token provided!' });
} else {
jsonwebtoken.verify(jwt, config.get('secretString'), (err) => {
if (err) {
res.status(403).send(err);
} else {
next();
}
});
});
Here, the path /api has been added to differentiate from requests that do not need a JWT authentication such as sign up and log in (since we don't want the middleware to be executed when there's no need for authentication).
*Middleware functions are functions that have access to the request object (req), the response object (res), and the next middleware function in the application’s request-response cycle. The next middleware function is commonly denoted by a variable named next.
Syntax of a middleware: function(req, res, next)

In express if we
import express from "express"
and use app = express();
then app having all functionality of express
if we use app.use()
with any module/middleware function to use in whole express project

app.use is woks as middleware for app request.
syntax
app.use('pass request format',function which contain request response onject)
example
app.use('/',funtion(req,res){
console.log(all request pass through it);
// here u can check your authentication and other activities.
})
also you can use it in case of routing your request.
app.use('/', roting_object);

app.use is a function requires middleware. For example:
app.use('/user/:id', function (req, res, next) {
console.log('Request Type:', req.method);
next();
});
This example shows the middleware function installed in the /user/:id path. This function is executed for any type of HTTP request in the /user/:id path.
It is similar to the REST Web Server, just use different /xx to represent different actions.

app.use() is a method that allows us to register a middleware.
The middleware method is like an interceptor in java, this method always executes for all requests.
Purpose and use of middleware:-
To check if the session expired or not
for user authentication and authorization
check for cookie (expiry date)
parse data before the response

Middleware is a general term for software that serves to "glue together" so
app.use is a method to configure the middleware, for example: to parse and handle the body of request:
app.use(bodyParser.urlencoded({ extended: true }));
app.use(bodyParser.json());
there are many middlewares you can use in your express application
just read the doc :
http://expressjs.com/en/guide/using-middleware.html

app.use applies the specified middleware to the main app middleware stack. When attaching middleware to the main app stack, the order of attachment matters; if you attach middleware A before middleware B, middleware A will always execute first. You can specify a path for which a particular middleware is applicable. In the below example, “hello world” will always be logged before “happy holidays.”
const express = require('express')
const app = express()
app.use(function(req, res, next) {
console.log('hello world')
next()
})
app.use(function(req, res, next) {
console.log('happy holidays')
next()
})

It enables you to use any middleware (read more) like body_parser,CORS etc. Middleware can make changes to request and response objects. It can also execute a piece of code.

You can also create your own middleware function like
app.use( function(req, res, next) {
// your code
next();
})
It contains three parameters req, res, next
You can also use it for authentication and validation of input params to keep your
controller clean.
next() is used for go to next middleware or route.
You can send the response from middleware

app.use is Application level middleware
Bind application-level middleware to an instance of the app object by using the app.use() and app.METHOD() functions, where METHOD is the HTTP method of the request that the middleware function handles (such as GET, PUT, or POST) in lowercase.
you can use to check all requests, for example, you want to check token/access token you need to write a middleware by using app.use to check the token in the request.
This example shows a middleware function with no mount path. The function is executed every time the app receives a request.
var app = express()
app.use(function (req, res, next) {
console.log('Time:', Date.now())
next()
})
reference from https://expressjs.com/en/guide/using-middleware.html

app.use(path, middleware) is used to call middleware function that needs to be called before the route is hit for the corresponding path. Multiple middleware functions can be invoked via an app.use.
app.use(‘/fetch’, enforceAuthentication) -> enforceAuthentication middleware fn will be called when a request starting with ‘/fetch’ is received. It can be /fetch/users, /fetch/ids/{id}, etc
Some middleware functions might have to be called irrespective of the request. For such cases, a path is not specified, and since the the path defaults to / and every request starts with /, this middleware function will be called for all requests.
app.use(() => { // Initialize a common service })
next() fn needs to be called within each middleware function when multiple middleware functions are passed to app.use, else the next middleware function won’t be called.
reference : http://expressjs.com/en/api.html#app.use
Note: The documentation says we can bypass middleware functions following the current one by calling next('route') within the current middleware function, but this technique didn't work for me within app.use but did work with app.METHOD like below. So, fn1 and fn2 were called but not fn3.
app.get('/fetch', function fn1(req, res, next) {
console.log("First middleware function called");
next();
},
function fn2(req, res, next) {
console.log("Second middleware function called");
next("route");
},
function fn3(req, res, next) {
console.log("Third middleware function will not be called");
next();
})

app.use(req, res, next) is an API that allows us to add one or more middlewares to the request pipeline of express. A middleware is a function that has a defined signature, and through that, you can modify or end the request, returning a response according to a condition that you program. For example, I can call res.end() and finish the request to the client. Middlewares are executed in the order they're added. I can simply decorate the req object, adding or removing properties, for example, authenticating an user and setting req.user = 'any user of database', and calling next(), the next middleware will begin its execution, receiving the same instance of req, res, next.

Bind application-level middleware to an instance of the app object by using the app.use() and app.METHOD() functions, where METHOD is the HTTP method of the request that the middleware function handles (such as GET, PUT, or POST) in lowercase.

In short app.use() supports all type of requests [eg:get,post,...]
so its mostly used to setup middelware.
or can be used for when the routes and functions seperated
example:
app.use("/test",functionName)
and functionName is located in different file

app.use
is created by express(nodejs middleware framework )
app.use is use to execute any specific query at intilization process
server.js(node)
var app = require('express');
app.use(bodyparser.json())
so the basically app.use function called every time when server up

You can use app.use('/apis/test', () => {...}) for writing middleware for your api, to handle one or some action (authentication, validation data, validation tokens, etc) before it can go any further or response with specific status code when the condition that you gave was not qualified.
Example:
var express = require('express')
var app = express()
app.use(function (req, res, next) {
// Your code to handle data here
next()
})
More detail is, this part actually an anonymous function for you to write the logic on runtime
function (req, res, next) {
// Your code to handle data here
next()
}
You can split it into another function from another file and using module.export to use
next() here for the logic that if you handle everything is fine then you can use then for the program to continue the logic that its used to.

The app.use() function is used to mount the specified middleware function(s) at the path which is being specified. It is mostly used to set up middleware for your application.
Syntax
app.use(path, callback)
Parameters:
path: It is the path for which the middleware function is being called. It can be a string representing a path or path pattern or regular expression pattern to match the paths.
callback: It is a middleware function or a series/array of middleware functions.

In simple words app.use() is a function that takes another function (callback) as a parameter and runs every time, when the request is sent to the express app/server.
The function passed inside app.use is also called middleware, middleware is just a fancy name for a function that exists in express app and has three parameters request, response and next. You can read more about middleware.
Middleware are called between request and response cycle. If you want a middleware to be applied on all the routes then you can use app.use() or do some validation, error checking and other things.

app.use() will be called for every request: GET, POST, PUT, PATCH, DELETE

Let's say we have a set of routes that our site can handle
app.get('/1/', function(req, res) {
res.send('page1');
});
app.get('/2/', function(req, res) {
res.send('page2');
});
Obviously, if an address is requested that we do not process, then a 404 error should be returned. Express, however, does not do this by default. But it's easy to implement.
The special method app.use will help us with this. It allows you to intercept all raw addresses
Let's use this method to return a 404 error
app.use(function(req, res) {
res.status(404).send('not found');
});
Now let's place our construction after all app.get
app.get('/1/', function(req, res) {
res.send('page1');
});
app.get('/2/', function(req, res) {
res.send('page2');
});
app.use(function(req, res) {
res.status(404).send('not found');
});

As the name suggests, it acts as a middleware in your routing.
Let's say for any single route, you want to call multiple url or perform multiple functions internally before sending the response.
you can use this middleware and pass your route and perform all internal operations.
syntax:
app.use( function(req, res, next) {
// code
next();
})
next is optional, you can use to pass the result using this parameter to the next function.

app.use() is the application middleware.
Bind application-level middleware to an instance of the app object by using the app. use() and app. METHOD() functions, where METHOD is the HTTP method of the request that the middleware function handles (such as GET, PUT, or POST)
var express = require('express');
var app = express();
var PORT = 3000;
// This middleware will not allow the
// request to go beyond it
app.use(function (req, res, next) {
console.log("Middleware called")
next();
});
// Requests will never reach this route
app.get('/user', function (req, res) {
console.log("/user request called");
res.send('Hello test');
});
app.listen(PORT, function(err){
if (err) console.log(err);
console.log("Server listening on PORT", PORT);
});