Friday 5 May 2017

Can the req object be manipulated within a request

Can the req object be manipulated within a HTTP request? So is there any chance a request can set a value for req.token? I know that various object properties like req.query, req.body etc. can be freely changed from the outside, but can new properties like req.token be added or is this example code safe?

var auth = function (req, res, next) {
    if (isValid()) {
        req.token = getToken();
        return next();
    }
}

app.get('/foo', auth, function(req, res) {
    if (req.token) {
        // valid request
    } else {
        // invalid request
    }
});



via Chris

No comments:

Post a Comment