0

I made a RESTful api with node/express. One client can upload photos and audio and the api store it in the filesystem using multer (haven´t figure it out how to store files in the database yet). How does a client, in Angular, for example, receive the photo when consuming from the api? it can´t receive in the json the link to where the file is in the filesystem, right?

daniel gon
  • 159
  • 2
  • 14

2 Answers2

0

Add an endpoint to GET the file with the appropriate content type.

If you sluggify the file name and store it as is, your endpoint could take the file name as parameter, or you can assign it a unique key and store it in the database (with additional metadata), you could then retrieve it from disk with the id.

Gabriel Bleu
  • 9,703
  • 2
  • 30
  • 43
-1

Your client (any type of application that's consuming the API) can get the file through two simple ways: accessing directly the local file with a public and exposed url (insecurity) or reading a buffer of bytes. Javascript can build object using a buffer of bytes. you can check this in another post: How do I read binary data to a byte array in Javascript?.

Or more especific to the AngularJS, you can find more detailed example how to read and display images from byte code here: How to display Image received as byte array in Angular JS

alvaropaco
  • 1,573
  • 18
  • 29
  • Why do you think it's insecure to access an exposed URL mimicing the file path? The URL can be subject to restrictions as to who can access it. This is actually a much more common practise than sending "buffers" of bytes. Can you access [this image](https://scontent.fnic3-1.fna.fbcdn.net/v/t1.0-9/26169838_10155687295489473_2109066226156133284_n.jpg) from my Facebook profile? I guess not. – nicholaswmin Nov 26 '18 at 14:30
  • Is not a good practice permit a direct access your files on the service. Sure, we have security ways to do that but is mmore security approach return a buffer of bytes. Here you will find a description of the DOR problem: https://www.owasp.org/index.php/Testing_for_Insecure_Direct_Object_References_(OTG-AUTHZ-004) – alvaropaco Nov 26 '18 at 14:35
  • Sorry, but no; If what you are saying was even remotely a significant concern, every major player would change their practise to what that article is recommending. I'm inclined to believe that you either misunderstood what the article is saying or the article itself is probably moot for practical purposes. – nicholaswmin Nov 26 '18 at 14:37
  • Is just a concern. We can access files in many ways: CDN, byte code buffer, directly... – alvaropaco Nov 26 '18 at 14:40