I am currently using jet to authenticate users. In my user.routes I have also a router.param() to load the user and append it to the request. Is the jet control on GET user/:userId protecting also the router.param() load (is the checking does before?) or should also protect the router.param() ?
NOTE: not sure the Title reflects correctly my question... suggestions welcome
user.route.js
import express from 'express';
import expressJwt from 'express-jwt';
import validate from 'express-validation';
import paramValidation from '../../../config/param-validation';
import userCtrl from '../controllers/user.controller';
import config from '../../../config/config';
const router = express.Router(); // eslint-disable-line new-cap
...
/** GET /api/users/:userId - Get user */
router.route('/:userId')
/** GET /api/users/:userId - Get user */
.get(expressJwt({ secret: config.jwtSecret }), userCtrl.get);
...
/** Load user when API with userId route parameter is hit */
router.param('userId', userCtrl.load);
user.controller.js
import httpStatus from 'http-status';
import APIError from '../../helpers/APIError';
import User from '../../models/user.model';
/**
* Load user and append to req.
*/
function load(req, res, next, id) {
User.get(id)
.then((user) => {
req.user = user; // eslint-disable-line no-param-reassign
next();
})
.catch((e) => {
if (e.name === 'CastError') {
const err = new APIError('Cast Error', httpStatus.BAD_REQUEST, true);
next(err);
} else {
const err = new APIError('User not found', httpStatus.NOT_FOUND, true);
next(err);
}
});
}
via erwin
No comments:
Post a Comment