1

I am using Express 3.4.8 and have set up a handler for all my routes, checking for privileges.
Let's assume that the credentials (which are sent with every request) are invalid. I'd like to respond with a status of 403 in that case.

app.all('*',function(req,res,next){

  //req.body contains an object `credentials`

  res.send(403);
});

If i do so, req.body will be an empty object. Note that the request is made from an Angular app and is definetly correct.

As soon as i omit the status, everything will work fine. Like that:

app.all('*',function(req,res,next){
  res.send('Im not a status code');
});

In that case, req.body will contain the credentials as expected. Remember, the original request is made externally and never touched.

Can anyone reproduce this and has a tip on how to fix it?

This is slowly corroding my inward peace. the whole process makes absolutely no sense at all. If i do a console.log(req.body) at the very beginning of the logic, thus before the authCheck decides whether or not the credentials are valid, it still fails.

Wottensprels
  • 3,166
  • 2
  • 26
  • 38
  • Do you mean the body of the response is empty? Or actually `req.body`? And if the latter: how are you using `req.body`? – robertklep Feb 17 '14 at 15:46
  • @robertklep Are you mixing up response and request? req.body will always be shown as an empty object when sending a status. I'm passing it through an Angular app, using $http.post, containg credentials – Wottensprels Feb 17 '14 at 15:49
  • So you're posting data to your Node app (from Angular), and that data doesn't show up in `req.body`, but only if you return a 403 with a reason? – robertklep Feb 17 '14 at 15:54
  • Yup. However, i have to say that this issue comes up immediately. So, if i'm returning that status after the promise has been rejected, the req.body variable will be an empty object **even before** the logic starts. i could cut the whole thing and only do a console.log(req.body);res.send(403); and it will reproduce – Wottensprels Feb 17 '14 at 15:56
  • Are you sure it's not the other way around? That because of an 'empty' request being sent (for instance, a `GET` instead of a `POST`), the 403-code is triggered? – robertklep Feb 17 '14 at 16:01
  • Absolutely. If i omit the status without even touching the request, everything works like a charm – Wottensprels Feb 17 '14 at 16:47
  • Could you please try `res.status(403);next()`? – Hüseyin BABAL Feb 18 '14 at 14:36
  • @HüseyinBABAL Unfortunately, this has changed nothing – Wottensprels Feb 18 '14 at 14:37

1 Answers1

0

I still have no idea why this failed in this specific way, but yet i found a solution.

The "failure" was caused by the fact that CORS will cause Angular to send an OPTIONS request.

See: AngularJS performs an OPTIONS HTTP request for a cross-origin resource

I respond with a simple status 200 messsage for each OPTIONS request, after that, the original POST will pass as expected.

Community
  • 1
  • 1
Wottensprels
  • 3,166
  • 2
  • 26
  • 38