2

Good day/night,

I am making a store page right now. I need send two things in the fetch call, the list of items and the id of the user. From my nodejs code I pass my userid like this: 

router.get('/testing', async (req, res) => {
    if (req.user) {
        let query = await User.findOne({ userid: req.user.steamid })
        res.render('testing', {
            user: req.user,
            balance: (query.balance/100),
            steamid: req.user.steamid
        })
    } else {
        res.redirect('/')
    }
});

I have my HTML file and my JS code separate. In my HTML I normally call the variable using the handlebars. Eg:

<a class="nav-link" >Balance: ${{balance}}</a>

However one thing I don't understand is how can I use these parameters in my JS code? Which is in an external file. Do I set the variable in the HTML first? If so wouldn't that mean someone could just change it to say my id and then I'd lose my balance? Would I need to use bcrypt to hash the userids? Would really appreciate some advice! :)

Bob Boby
  • 183
  • 8
  • https://stackoverflow.com/questions/11523331/passing-variables-through-handlebars-partial – Babak Abadkheir Apr 30 '20 at 00:15
  • I'm a little confused. Isn't that just passing variables into a handlebars template? If so, I know how to do that. I just don't know how to pass the passed variable into external js code. – Bob Boby Apr 30 '20 at 00:22

1 Answers1

0

You can simply set as JavaScript variables in your template before loading your external scripts and they will be available as global variables:

const userid = {{user.id}};
const balance = {{balance}};
const steamid = '{{steamid}}';

<script src="/js/site.js" type="text/javascript"></script>
<script type="text/javascript">
  someFunctionFromSiteJsFile(userid, balance, steamid);

   // test displaying userid
   console.log('user id', userid);
</script>

As to your other questions requiring security, that depends on a lot of different factors, and without a lot more detail it is difficult to answer what you should be doing with these variables or if you should be using this technique at all.

Jason Roman
  • 8,146
  • 10
  • 35
  • 40
  • Got it! Thanks. Regarding security, while I think I could get away with skipping it, if someone were able to change fetch call requests and add some other user's id (steam ids are public) it could lead to some issues of course. The likelihood of someone doing that is probably quite low. What I could do is simply use bcrypt to hash the ids, then pass that. Then validate it when a fetch call is received by my backend code. But I think I'll skip this for now. Since the worst someone can do is make someone involuntarily receive purchases. – Bob Boby Apr 30 '20 at 01:02
  • Yes you could do something like that, or depending on what you're doing you could validate what is passed to your script against what you have stored on your server for a particular user. Again I'm not exactly sure what you are doing but it sounds like you have a good plan either way. – Jason Roman Apr 30 '20 at 01:04