1

Using current version of MassiveJS and express for API calls. When using the SAVE function, Massive wants a list of column names to update as follows:

router.put('/:id', function(req, res, next) {
  db.suppliers.save(
    {
      id: +req.params.id,
      name: req.body.name,
      email: req.body.email,
      column1: req.body.column1,
      column2: req.body.column2,
      column3: req.body.column3,
      manyOtherColumns: req.body.manyOtherColumns,
      etc...
    }, function (err, result) {
      if (err) {
        return next(err);
      }
      return res.status(200).json({
        status: 'SUCCESS',
        message: 'Supplier has been saved'
      });
    })
});

As you can see, as the column list getting longer and longer, this code becomes more difficult to maintain. So I was wondering if there is a way to save the entire req.body in a single call assuming that the req.body key values match the db column names. That would save A LOT of time and be far more maintainable.

Laurel
  • 5,965
  • 14
  • 31
  • 57
CCPony
  • 988
  • 1
  • 7
  • 20
  • Are you familiar with over-posting? This allows a malicious user to set admin:true for instance. I really recommend white listing your form posts. –  Jul 11 '16 at 19:46
  • I'm not familiar with over-posting/white listing. All the training examples that demonstrate form posting using REST fail to mention these concepts. A google search produces confusing responses and no clear approach to apply in my scenario - - MassiveJS and Express/Express.Router(). Now, you have my curiosity up as well as bit of frustration that there is yet another layer of complexity that has to be applied to something as simple as posting data to a db backend. Is there anything that you can provide to help me understand this - specifically as it applies to your solution, Massive? – CCPony Jul 11 '16 at 20:44
  • Rob - I believe that you are referencing something akin to this post: http://stackoverflow.com/questions/28701258/mysql-whitelist-query. This I completely understand and have built in safeguards to prevent malicious posts and assure that users have access to and can post only authorized data and only from authorized personnel. I just wasn't familiar with the term "whitelist". Does this somehow relate to my original question regarding the tedium and maintenance issue of listing dozens and dozens of columns when using Massive.save()? Is there a better way to do that? – CCPony Jul 11 '16 at 21:07
  • It's a little different. I used the term "over-posting" but I meant to say "mass assignment". You can read about how Github was compromised in this way here: https://gist.github.com/peternixey/1978249. The deal is that you *never* want to leave an API open so people can assign values to things you don't want assigned to. –  Jul 11 '16 at 22:05

1 Answers1

2

Massive isn't an ORM, so saving an "object" isn't the idea. If you want to update something you can do so directly using db.update and passing in the values you want updated as well as the id of the row. This will do a partial update for you.

As I mention in the comments, opening up a REST endpoint to update whatever a user sends in via POST is probably not a good idea, even if you do trust your user.

Finally: if you want to just pass along the form post you can:

router.put('/:id', function(req, res, next) {
  var supplier = {
    id: req.params.id;
  };
  supplier = _.extend(supplier, req.params.body);
  db.suppliers.save(
    supplier
    , function (err, result) {
      if (err) {
        return next(err);
      }
      return res.status(200).json({
        status: 'SUCCESS',
        message: 'Supplier has been saved'
      });
    })
});
  • Wow. This new to me. I'm struggling to understand. It seems that you're telling me that posting using an "active record" pattern (which gives access to all the table columns) creates the potential for a mass assignment attack. And, if I'm understanding you correctly, by itemizing the columns that the POST updates, this avoids such an attack. Is this what you refer to as white-listing a form post? – CCPony Jul 12 '16 at 01:12