0

Beginner in Node.js/Express, I want my front end to fetch some data from an endpoint ('/1') but I don't want a user to see the JSON data when they visit that endpoint. Any help would be appreciated.

app.js

var express = require('express');
var app = express();
var PORT = process.env.PORT || 3000;
app.use("/static", express.static('./static/'));

app.get('/', function(req, res) {
  res.sendFile(__dirname + '/index.html')
});

app.use('/1', function(req, res, next) {
  res.status(404).send('Data not available to end user');
})

app.get('/1', function(req, res) {
  res.json({
    "employees": [
      { "firstName":"John"  , "lastName":"Doe"   },
      { "firstName":"Anna"  , "lastName":"Smith" },
      { "firstName":"Peter" , "lastName":"Jones" }
    ]
  })
});

app.listen(PORT);
Mr. Polywhirl
  • 31,606
  • 11
  • 65
  • 114
jpj
  • 83
  • 1
  • 6
  • Does this answer your question? [How to check if the request is an AJAX request with PHP](https://stackoverflow.com/questions/18260537/how-to-check-if-the-request-is-an-ajax-request-with-php) – CBroe Aug 10 '20 at 11:57
  • @CBroe They are using a Node stack, not PHP. – Mr. Polywhirl Aug 10 '20 at 11:58
  • @Mr.Polywhirl the main point is that you need to check for certain request characteristics on the server side, to be able to make that distinction. The mentioned duplicate explains what to look for in the first place, when certain client-side libraries are used to make the request, resp. should give an idea what one could add on the clinet side. Figuring out how to check whether a specific request header was set _in node_, is something I’d rather expect someone to be able to go read up on their own, if unknown. – CBroe Aug 10 '20 at 12:00
  • The correct way of doing this is to hide it behind some auth. That is user must provide some cookie/param you validate on backend to access the data. (This can be either some token you generate on login, or some `api` key) – noitse Aug 10 '20 at 12:00
  • You don't have to have auth - you can use CSRF if you want it to be open – mikeb Aug 10 '20 at 12:05
  • 1
    If the frontend uses AJAX for requests, try this: https://stackoverflow.com/questions/15945118/detecting-ajax-requests-on-nodejs-with-express – Bruno Melo Aug 10 '20 at 12:22
  • @BrunoMelo Thanks, it worked. – jpj Aug 10 '20 at 13:06

2 Answers2

-1

You can implement an authentication (with JWT for example), but if browser has a token it's going to see that json anyway. I don't know if this is a restful api but, if not, you can send only post requests (like graphql)

Bruno Melo
  • 69
  • 6
-1

There's no way to guarantee what you want to do.

You can use CSRF tokens and that will help if someone just points their browser at the endpoint.

Looks like you are using Express - something like this would help with CSRF: http://expressjs.com/en/resources/middleware/csurf.html

Generally if you are taking a "front-end" request from javascript or something in a browser, you can't prevent people from getting to it.

mikeb
  • 8,943
  • 4
  • 43
  • 94