How to prevent response from server directly display in browser?

Question

I am using express.js framework for my node.js server.

This is how I setup my server.

var express = require('express');
var path = require('path');
var favicon = require('serve-favicon');
var logger = require('morgan');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');

var index = require('./routes/index');
var createUsers = require('./routes/users/createUsers');
var updateUsers = require('./routes/users/updateUsers');
var deleteUsers = require('./routes/users/deleteUsers');
var readUsers = require('./routes/users/readUsers');

var app = express();

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  next();
});

// view engine setup
app.set('views', path.join(__dirname, 'views'));
app.set('view engine', 'jade');

var mysql = require("mysql");
//Database connection
app.use(function(req, res, next){
    res.locals.connection = mysql.createConnection({
        host     : 'localhost',
        user     : 'root',
        password : 'password',
        database : 'project'
    });
    res.locals.connection.connect();
    next();
});

// uncomment after placing your favicon in /public
//app.use(favicon(path.join(__dirname, 'public', 'favicon.ico')));
app.use(logger('dev'));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: false }));
app.use(cookieParser());
app.use(express.static(path.join(__dirname, 'public')));

app.use('/', index);
app.use('/createUsers', createUsers);
app.use('/updateUsers', updateUsers);
app.use('/deleteUsers', deleteUsers);
app.use('/readUsers', readUsers);



// catch 404 and forward to error handler
app.use(function(req, res, next) {
  var err = new Error('Not Found');
  err.status = 404;
  next(err);
});

// error handler
app.use(function(err, req, res, next) {
  // set locals, only providing error in development
  res.locals.message = err.message;
  res.locals.error = req.app.get('env') === 'development' ? err : {};
  // render the error page
  res.status(err.status || 500);
  res.render('error.ejs');
});

var http = require('http');
module.exports = app;
var server = http.createServer(app);
server.listen(4000);

This is my readUsers.js

var express = require('express');
var router = express.Router();

/* GET home page. */
router.get('/', function(req, res, next) {
    //console.log("pending data");
    res.locals.connection.query('SELECT id,name,email,username,address,phone,status FROM user', function (error, results, fields) {
        if (error) throw error;
        res.send(JSON.stringify(results));
    });

});

module.exports = router;

My server is listen at port 4000. My react frontend componentDidMount() function use axios.get("http://localhost:4000/readUsers") to read the data from database and it worked well.

However, if I directly type in http://localhost:4000/readUsers in my browser, it will directly connect to my database and read all User data and displayed the data in browser. This is not I want because everyone can read my data if they know this address. Any way to prevent this issue?

Answer 1

使用POST而不是GET作为请求的方法。

Answer 2

Add middleware to your router. here's the doc Router-level middleware

Express have many middleware, one of it is route-level middleware. This middleware handle anything between users and your function.

Here is the example i fetch from the documentation.

var app = express()
var router = express.Router()

// a middleware function with no mount path. This code is executed for every request to the router
router.use(function (req, res, next) {
  console.log('Time:', Date.now())
  next()
})

// a middleware sub-stack shows request info for any type of HTTP request to the /user/:id path
router.use('/user/:id', function (req, res, next) {
  console.log('Request URL:', req.originalUrl)
  next()
}, function (req, res, next) {
  console.log('Request Type:', req.method)
  next()
})

In your case you may add some permission validation before request. Usually it's an API key, but it can be anything, secret word in header, secret parameter, everything. Here is the example for your case.

function isPermitted(req, res, next) {
  var permitted = false;

  // Your validation here, is your user permitted with this access or not.

  if (permitted) {
    next();
  } else {
    res.send('Sorry, you are not belong here.');
  }
}

/* GET home page. */
router.get('/', isPermitted, function(req, res, next) {
    //console.log("pending data");
    res.locals.connection.query('SELECT id,name,email,username,address,phone,status FROM user', function (error, results, fields) {
        if (error) throw error;
        res.send(JSON.stringify(results));
    });

});