1

I'm a beginner in Express framework and having some difficulty with the code flow. I have following code in app.js

app.use('/', index);
app.use('/login', login);
app.use(require('./routes/authenticate_user'))
app.use('/user', userDetails);

Problem is that If a user enters an invalid route suppose '/wrong' then my middleware sends the response for that instead of app throwing 404 Not found. Is there something I'm missing?(looks obvious). Thanks for any help.

asked Apr 8, 2018 at 4:35
5
  • Yes sorry for not specifying that in the first place. That middleware is to make sure if a user has passed access token in the request headers or not. Commented Apr 8, 2018 at 4:52
  • Well, you have to decide what you want to happen in that case. It seems to me that sending a status that they are not properly authorized (even if it's /wrong) is the right design. That also keeps non-authorized users from learning anything about your URLs and which ones work and don't work. Commented Apr 8, 2018 at 4:59
  • But the problem is still there. Is there any way to pre-check routes? If I may. Or is there another approach to this. Commented Apr 8, 2018 at 5:03
  • What problem is still there? I didn't suggest you change anything. I think the way it is is the proper design. If you only want to check matched routes, then you can have to put the middleware manually on every single route. app.use('/user', require('./routes/authenticate_user'), userDetails); Commented Apr 8, 2018 at 5:07
  • Ok. Thanks for quick responses, I guess this is the way it should've been Commented Apr 8, 2018 at 5:12

1 Answer 1

3

There are a couple choices for how/where you run the authentication middleware.

1) You can run it immediately after any non-authenticated routes have been defined. This will give you a non-auth error for any route, whether it's a real route or not other than the few routes that the user is allowed to go to without authentication.

2) You can manually add the middleware to each defined route that is supposed to have authentication such as:

app.get('/something', yourAuthMiddleware, yourRouteHandler);

This will run the auth check only on routes that are actually defined. This allows you to give a 404 rather than an auth error for routes that are not defined.

The advantage of the first option (which is essentially how you have it now) is that a non-authenticated user doesn't even get to find out which routes are defined or not. If they're not authenticated, they don't get in at all except to the couple of routes that they are allowed to. In my opinion, this is the right design.

The second option will let you give a 404 for a route that isn't defined, but it requires manually adding auth to each route or each router that you define that needs auth. This allows a non-authenticated user to find out which routes are defined and which ones are not.

answered Apr 8, 2018 at 6:36
Sign up to request clarification or add additional context in comments.

11 Comments

Hi jfriend i want to use express midlle.. like this:app.get('/finduser',function(req,res){
@ŞükSefHam - Please ask your own question. You can then show your code and explain your problem/question.
I cant ask question:)but i want to learn :i want to use express midlle.. like this: ` app.get('/finduser',function(req,res){user.find{},function(err,result){res.render('./users.ejs',{user:result.....` this is true way?
@ŞükSefHam - You can ask questions and contribute answers the moment you join here. Please ask your own question. This is off-topic here to try to ask a question in the comments of some other answer.
Stackover dont allow me?:)
|

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.