Node.js express correct use of bodyParser middleware

I am new to node.js and express and have been experimenting with them for a while. Now I am confused with the design of the express framework related to parsing the request body. From the official guide of express:

app.use(express.bodyParser());
app.use(express.methodOverride());
app.use(app.router);
app.use(logErrors);
app.use(clientErrorHandler);
app.use(errorHandler);

After setting up all the middleware, then we add the route that we want to handle:

app.post('/test', function(req, res){ 
  //do something with req.body      
});

The problem with this approach is that all request body will be parsed first before the route validity is checked. It seems very inefficient to parse the body of invalid requests. And even more, if we enable the upload processing:

app.use(express.bodyParser({uploadDir: '/temp_dir'}));

Any client can bombard the server by uploading any files (by sending request to ANY route/path!!), all which will be processed and kept in the '/temp_dir'. I can't believe that this default method is being widely promoted!

We can of course use the bodyParser function when defining the route:

app.post('/test1', bodyParser, routeHandler1);
app.post('/test2', bodyParser, routeHandler2);

or even perhaps parse the body in each function that handle the route. However, this is tedious to do.

Is there any better way to use express.bodyParser for all valid (defined) routes only, and to use the file upload handling capability only on selected routes, without having a lot of code repetitions?

Answers


Your second method is fine. Remember you can also pass arrays of middleware functions to app.post, app.get and friends. So you can define an array called uploadMiddleware with your things that handle POST bodies, uploads, etc, and use that.

app.post('/test1', uploadMiddleware, routeHandler1);

The examples are for beginners. Beginner code to help you get the damn thing working on day 1 and production code that is efficient and secure are often very different. You make a certainly valid point about not accepting uploads to arbitrary paths. As to parsing all request bodies being 'very inefficient', that depends on the ratio of invalid/attack POST requests to legitimate requests that are sent to your application. The average background radiation of attack probe requests is probably not enough to worry about until your site starts to get popular.

Also here's a blog post with further details of the security considerations of bodyParser.


Need Your Help

javafx 8 compatibility issues - FXML static fields

java javafx-2 java-7 java-8 javafx-8

I have designed a javafx application which works fine in jdk 7. When I try to run it in java 8 I am getting the below exceptions:

What does Protected Internal mean in .Net

c# .net oop

Protected Means, we can access this member only in a deriving class, and internal means we can access this member in any type in the same assembly using a object.