5

So I looked at this post: is an entity body allowed for an http delete request

Which seems to indicate that while it is 'ok' to do on some conceptual level, in practice it may not be doable because browsers just ignore it.

I have some express.js authentication middleware I need to get through, and I don't want to attach my user details to url params. All my other requests that need to authenticate attach these details to the body of the request.

Is there some way to force this? I saw some other posts where some people seemed to have success in passing a body with their delete request.

I am running a node/sails back-end. It always logs the body as undefined for a delete request. Is there any way to modify

Community
  • 1
  • 1
tpie
  • 6,021
  • 3
  • 22
  • 41

2 Answers2

3

The sails API pulls the id of the object to delete from the params, so we have to append the id to the url.

But if I want to pass some authentication details in a body for server-side verification before processing the delete request, I can't just stick them in an object as the second parameter of the delete request, like you can with $http.post.

Angular's post method automatically assigns whatever we insert as a second parameter to the body of the request, but the delete method does not.

Angular's $http.delete method does allow us to supply a config object as the second parameter, through which we can get access to the 'data' property. This is the same way post does it through it's second parameter.

So if we need to attach a body to a delete request we can use the following:

$http.delete('/api/' + objectToDelete.id, {data: {id: currentUser().id, level: currentUser().level}});

This will pass the object to delete's id in the url parameter, and my user credentials in the body as an object.

tpie
  • 6,021
  • 3
  • 22
  • 41
  • Strange, I have tried this method on Angular 1.4.x and the request is sent without body. Does this work for other people? – chrisvdb Oct 16 '15 at 04:16
  • 3
    This works if you add this: $httpProvider.defaults.headers.delete = { "Content-Type": "application/json;charset=utf-8" }; – Diego Mello May 24 '16 at 12:59
  • @DiegoMello additionally, required headers can vary from one API to the other. I answered this a while ago, so the headers that sails is looking for on delete requests could very well have changed. Some APIs require Content-Length to be set as well. – tpie May 24 '16 at 14:02
  • 1
    @mohamed.ahmed The issue is likely not with angular. Angular still let's you pass the data in. It is likely that for some reason or another your API is ignoring the data because it doesn't know to look for it, for reasons such as what Diego mentioned above - you need to have the right headers set. – tpie May 24 '16 at 14:05
  • @tpie Are you sure? If I print req.body without setting headers in angular, my api returns nothing. – Diego Mello May 24 '16 at 18:36
2

Honestly, everytime a trouble sounds like a "restriction of as REST", a rethink of the strategy and the philosophy might be a good idea.

I have some authentication middleware I need to get through

I don't want to attach my user details to url params

I'm not directly answering the question, but you should know that among the commons

  • URL parameters (or query, but URL anyway)
  • Body

there is a third option for "passing values to the server" :

  • request Headers

I'd just suggest to consider that third option to provide your credentials: request header.

Edit : following appendix would just apply to any "external" middleware, like a proxy server or whatever, not a true express middleware inside sails.js

In addition, that would be a good idea that your middleware stripped those headers before redirecting to the real action.

Community
  • 1
  • 1
Cyril CHAPON
  • 3,556
  • 4
  • 22
  • 40
  • Thanks for the input. I took into consideration what you said and added an additional header into my auth interceptor. Can you elaborate on my it would be beneficial to strip the headers in the middleware? – tpie Apr 22 '15 at 11:43
  • You made my 50 rep so I can answer you here ! =p I don't know what you mean by "middleware", so I suggested that, if this is eg. another server or maybe another part of the code (purely handling auth, without any connexion to the real actions), it should not redirect those headers for security purpose. Edit : If you're sticking purely inside sails, this is only optional to strip credentials before going into controller, but if auth is outside, consider it. – Cyril CHAPON Apr 22 '15 at 11:47
  • "Middleware is a function with access to the request object (req), the response object (res), and the next middleware in line in the request-response cycle of an Express application, commonly denoted by a variable named next." Basically lets you inject functions to pass the req through before you actually get to whatever you are going to do with the request. – tpie Apr 22 '15 at 11:52
  • Assuming you mean a true *express* middleware, you can ignore this appendix I guess. I was just broadening to the wide middleware meaning.[def](http://searchsoa.techtarget.com/definition/middleware), [def2](http://en.wikipedia.org/wiki/Middleware) – Cyril CHAPON Apr 22 '15 at 11:56
  • 1
    yes of course...it just happened to be the middleware in question. – tpie Apr 22 '15 at 11:58