1

I want to exclude the public folder and all static files and subfolders from express router.

Currently I have defined 1) the public folder, 2) the router as suggested in several SF answers:

        // public folder
        self.app.use(express.static(path.join(__dirname, 'public')));

        // static pages
        self._options.staticRoutes.forEach(route => {
            self.app.use(BASEPATH + route, express.static(path.join(__dirname, 'public')));
        });

        // register page renderer
        router.get(BASEPATH, renderer.render());

        // templates
        self._options.routes.forEach(route => {
            self.app.use(BASEPATH + route, router);
        });
        // router
        self.app.use(BASEPATH, router);

        // register error handlers
        self.app.use(renderer.logErrors());
        self.app.use(renderer.clientErrorHandler());
        self.app.use(renderer.catchAll());

Later on I have a catch all that checks the user login:

       self.app.use(function (req, res, next) {
            var redirect_uri = '/login';
            if (req.user) {
                return next();
            } else {
                return res.redirect(redirect_uri);
            }
        });

This route causes the 304 redirect on static files as well under the public folder.

An option would be to use a path based middleware like here:

var unless = function (middleware, ...paths) {
    return function (req, res, next) {
        const pathCheck = paths.some(path => path === req.path);
        pathCheck ? next() : middleware(req, res, next);
    };
};//unless

to be used like

app.use(unless(redirectPage, "/user/login", "/user/register"));

But how to apply in my case? Let's consider that public files are server under the / path (i.e. the public folder) and its subfolders (like css, js, images or even files like favicon.ico, robots.txt, etc.).

loretoparisi
  • 15,724
  • 11
  • 102
  • 146
  • Sorry but your question isn't very clear. What are you trying to achieve? Perhaps some context would be more helpful. – Shumail Oct 14 '19 at 11:04
  • @Shumail Thanks. I want to avoid that the routing of last `app.use` on static files under `public` folder. – loretoparisi Oct 14 '19 at 11:07
  • can you share your code how are you trying to use static files? – kisor Oct 14 '19 at 11:11
  • @kisor The code is: `self.app.use(express.static(path.join(__dirname, 'public')));` – loretoparisi Oct 14 '19 at 12:29
  • self._options.staticRoutes.forEach(route => { self.app.use(BASEPATH + route, express.static(path.join(__dirname, 'public'))); }); what is this used for – kisor Oct 15 '19 at 04:47

1 Answers1

2

There are multiple ways to use middlewares in express.

Instead of excluding the static/public resources from an application-level login check (here you could read the request and skip the check for certain paths), I would rather use router-level middlewares at your sensitive paths.

You can define router-level middlewares right there in your present routing calls like this:

router.get('/path_of_the_route', middleware1, middleware2, ..., requestHandler);

Usually I do something like this:

serverApp.use(express.static(__dirname + '/public'));

// loginController renders the login pages (and password-reset etc) and provides login/logout functionality
router.use('/', loginController);
router.use('/login', loginController);

// every request to the '/secured' path will be send through the authentication check middleware 
router.use('/secured', loginController.checkLoginMiddleware, securedContentPageController);
lupz
  • 3,620
  • 2
  • 27
  • 43
  • Thanks, This was one option, but I do not figure out how this specific middleware should handle public files routes in general. Let's consider that a public file is server under the `/` path (i.e. the `public` folder) and its subfolders (like `css`, `js`, etc.). – loretoparisi Oct 14 '19 at 12:28
  • 1
    My point is "don't use the authentication-middleware on public paths". The middleware doesn't need to know anything about your public routes. – lupz Oct 14 '19 at 12:35
  • Yes. My sensitive path are everything under `/` that are static files, hence under the static folders `js/`, `css/`, etc., so my `'/path_of_the_route'` is more like a regex maybe, or something like here https://stackoverflow.com/questions/27117337/exclude-route-from-express-middleware – loretoparisi Oct 14 '19 at 12:43
  • By "sensitive" I mean "needs authentication". Typically, you don't need authentication to access public resources (thats why they are called public). When you consider everything under `/` to be "sensitive" you will need the authentication-check and I wonder why you asked this question ;) – lupz Oct 14 '19 at 13:02