1

So I want to create a commenting system for my website, and in order to know the page of the comment (for example, a specific video a user has uploaded), I somehow need to get the url of the page the user is currently on, when they comment (so that I know how to save it in the database).

The route is like this: app.get('/video/:videoId', function(req, res){...}) so a video url would be something like: /video/98ux8987s987f9xc89v3wjgrkgh32.

I need to get the last part of the url, when the user POSTs the comment. I don't want to send the url along with the comment (in the ajax POST function), because they can change it!

And by the way I don't need the url post url (if I have something like req.url in the post function, I'll just get the post url: app.post('/comment', function(req, res){console.log(req.url)} if I do this I'll get /comment).

Is there a way to do it ?

Thank you very much.

user2226755
  • 12,494
  • 5
  • 50
  • 73
Jim
  • 131
  • 1
  • 3
  • 12
  • I write a new answer with hash token. Only server can make the token (videoKey) and users need it to send comment. – user2226755 May 14 '16 at 14:06

2 Answers2

0

I'm not sure if I get you, but is this what you mean?

app.post('/comment/:videoId', function(req, res) {
    console.log(req.params.videoId)
}

The videoId parameter is in req.params.videoId.

Keugels
  • 790
  • 5
  • 15
  • Not exactly. `app.post('/comment', function(req, res){ // the user is in this url when he comments: `/video/98ux8987s987f9xc89v3wjgrkgh32` I need to get the //`98ux8987s987f9xc89v3wjgrkgh32` part without sending it to the //client, becuase they might change it. I need to get it from the server //side directly! (sorry if my english isn't great!) });` – Jim May 14 '16 at 13:31
  • Well, in other words yeah, I need to get the id of the video, without sending it to the client, because they may change it! – Jim May 14 '16 at 13:36
  • The code I posted is server side code, so that's not a problem, but I think I know what you mean, only that is not possible: One way or the other, you have to have a sort of identification of the video they are commenting on, which must be passed to the client. It's always possible to mess with data on the client side, so that's why you would need server side authentication as well. – Keugels May 14 '16 at 13:39
  • Could you please give me a sample of how server side authentication should look like? Thank you! – Jim May 14 '16 at 13:41
0

You can add hash with url, but it's not unstoppable. In the videoKey you can add the date or user id.

var secretkey = "4658{=#mkZl"; // The user doesn't know this string, and he can't make videoKey.

app.get('/video/:videoId', function(req, res){    
    res.render('video', {
        videoId: req.params.videoId,
        videoKey: sha256(secretkey + req.params.videoId + secretkey);
    });
};

In your html form :

<form action="/comment">
    <input type="hidden" name="videoId" value="{videoId}" />
    <input type="hidden" name="videoKey" value="{videoKey}" />
</form>

comment function :

var secretkey = "4658{=#mkZl";

app.post('/comment', function(req, res){
    if (req.body.videoKey == sha256(secretkey + req.body.videoId + secretkey))
        //ok the user got video page, before he comments.
};

sha256 function :

var crypto = require('crypto');

function sha256(data) {
    return crypto.createHash("sha256").update(data).digest("base64");
}
Community
  • 1
  • 1
user2226755
  • 12,494
  • 5
  • 50
  • 73
  • Your code works fine so far in my programm, but videoKey is always the same for each videoId, so In every refresh of the same page, it stays the same. Is there a function to make it, less... static? So that, it changes in every refresh of the same page! – Jim May 19 '16 at 11:44
  • @Jim Add user sessionid, or cookie sessionid. But if you want to make spam prevention, the token isn't solution to make spam preventions you need captcha. Read : http://stackoverflow.com/questions/36198970/does-using-csrf-form-tokens-help-spam-prevention – user2226755 May 20 '16 at 18:28