Can the req
object be manipulated within a HTTP request? So is there any chance a request can set a value for req.token
? I know that various object properties like req.query
, req.body
etc. can be freely changed from the outside, but can new properties like req.token
be added or is this example code safe?
var auth = function (req, res, next) {
if (isValid()) {
req.token = getToken();
return next();
}
}
app.get('/foo', auth, function(req, res) {
if (req.token) {
// valid request
} else {
// invalid request
}
});
via Chris
No comments:
Post a Comment