In express.js we often attach objects to the req object in middleware, e.g. req.myObject. What prevents a user sending an http request that includes req.myObject already set to some value? For example, I could use req.myObject as part of authentication. Could a user set req.myObject = true when sending a request when it should really be false? Potentially an issue if req.myObject is set on some routes but not others but middleware that checks req.myObject is re-used across routes.
Asked
Active
Viewed 621 times
2
-
Not sure how would a user set anything on `req` using any http verb? The post params are in `req.body` and gets are in `req.query` and files are in `req.files`. Did i miss anything? – Swaraj Giri Jun 24 '15 at 05:36
-
No - I thought the answer might be something like that, i.e. that expressjs doesn't permit the requestor to set anything on the request object other than a finite set of objects....but wanted to make sure. – Andrew Jun 24 '15 at 05:39
1 Answers
2
req is an object created by Express when a request is received. It's not something passed directly from client to the server, in fact it isn't even available to client.
A client can only relay information to the server in some limited ways - GET query, POST form data, or route paths which are attached to the req object by Express as req.query, req.body, and req.params respectively.
Anything else attached to the req object is out of scope of the client, at least directly.
Related question: Node.js request object documentation?
Community
- 1
- 1
laggingreflex
- 32,948
- 35
- 141
- 196