If a user is restricted from a "get" route, is the user also restricted from the "post" route?

jeremiahfernandezzzz · December 17, 2017, 10:55am

the below code is a get request to a route that serves the user a particular page if authenticated, and redirects the user if not. “request.user” refers to some Passport (a node package) object that gets created upon authentication.

app.get("/newpoll", function (request, response){
  if (request.user){
    response.sendFile(__dirname + '/views/newpoll.html');
  } else {
    response.redirect("/")
  }
})

can an unauthenticated user access the route through a post request?

app.post("/newpoll", function(request, response){
    var poll;
    request.on('data', function(data) {
      poll = JSON.parse(data);
      poll["user"] = request.user.twitterId;
    
      console.log("received: " + JSON.stringify(poll))
      MongoClient.connect(url, function(err, db){
        if (db){
          console.log("connected to " + url);
          db.collection("polls").insert(poll);
        }
        if (err) {
         console.log("did not connect to " + url)
        }
      })
    })
})

Jason_L · December 29, 2017, 5:50pm

Nothing in your GET handler will have any bearing on your POST handler. Either 1 or the other is going to be called.

In your “get”, you are testing for the existence of a “user” attribute on the request object. I am going to assume that there was some middleware that only sets this if the user was authenticated, vs simply being an http get parameter. In your POST, you are assuming “user” exists and you are trying to access the twitter id on it. This will throw an exception if “user” is null or undefined, and the client will most likely get a server 500 error. This inconsistency between your 2 functions is a red flag. You should consider refactoring an “isAutheticated” function, put your logic there for determining if the request is in fact authenticated, return a boolean response from it, and then call this function within both your GET and POST handlers. This would make the gaps in your logic easier to see and fix.

I’d try to give you an example, but i am typing this on my phone

Topic		Replies	Views
Express Api problem JavaScript	2	329	February 2, 2021
Securing your routes	1	305	June 1, 2021
Advanced Node and Express: Create New Middleware JavaScript	4	620	May 8, 2022
Create new middleware lesson JavaScript	1	323	June 1, 2021
How to add passport-twitter middleware to an express GET route	8	1548	January 17, 2021

If a user is restricted from a "get" route, is the user also restricted from the "post" route?

Related topics