1

I'm making a webapp where people can review movies, and I'm trying to make it so users can't delete other users' reviews.

Here's my AngularJS function to delete movies:

$scope.del_movie = function(movie) {
    $http( {
        method: 'DELETE',
        url: '/movie/:title',
        params: {'title': movie.title},
        data: {'username': movie.username}
    }).then(function successCallback(response) {
        console.log(response);
        return getData();
    }, function errorCallback(response) {
        console.log('Error: ' + response);
    });
};

I've console.logged the movie.username and have received the correct username.

However, when this request gets routed to my express delete function, the req.body.username appears to be undefined. Here's that route:

app.delete("/movie/:title", requiresAuth(), function(req, res) {
    paramsUsernameString = req.body.username;
    oidcEmailString = JSON.stringify(req.oidc.user.email);


    console.log("movie " + req.params.title);

    if(paramsUsernameString != oidcEmailString){
        console.log("req.params.username " + paramsUsernameString + " req.oidc.user.username " + oidcEmailString);
        console.log("can't delete someone else's review!");
    }
    else{
        Movie.findOneAndRemove(req.query, function(err, result) {
            if ( err ) throw err;
            res.json( {
                message: "req.params.username " + paramsUsernameString + " req.oidc.user.username " + oidcEmailString,
                movie: result
            });
        });
    }
});

I've searched around, and most questions here on SO are resolved by requiring body-parser, but I've already done that:

var express = require('express');
var bodyParser = require('body-parser');
var app = express();

My POST request also uses body-parser, and that one works fine.

Appreciate any help with this, happy to provide more information if needed. Thanks!

Casey
  • 31
  • 1
  • 5
  • Does this answer your question? [body is empty when parsing DELETE request with express and body-parser](https://stackoverflow.com/questions/37796227/body-is-empty-when-parsing-delete-request-with-express-and-body-parser) – Chaos Monkey Nov 22 '21 at 20:21
  • If you found my answer helpful than I would appreciate you accepting it – Chaos Monkey Mar 10 '22 at 14:55

1 Answers1

2

The problem is not exactly in your code as it is in the AngularJs $http service. Link to original answer

Sending a body in an HTTP DELETE is discouraged by some providers, but the HTTP spec does not explicitly prohibit it. That's why we end up with these kinds of situations

What you should do in order to overcome this is to explicitly add a Content-Type: application/json header and force the HTTP client, or, better yet, don't send a body in a DELETE request as it is not recommended.

Instead of using the body, you should consider using path params, query params, or maybe even a user header since it seems that is what you are trying to pass in the request

Also make sure you actually use body-parser and not just require it

const express = require('express');
const bodyParser = require('body-parser');
const app = express();

app.use(bodyParser.json())
Chaos Monkey
  • 964
  • 1
  • 6
  • 18
  • What do you mean "force the HTTP client"? How would one do that without changing the client's code? I'm trying to use an API that requires a body in DELETE requests. – Gumby The Green Jan 21 '23 at 06:53
  • The code is written in a way that if you pass a content-type header with the value of `application/json` the body will be added to the request – Chaos Monkey Jan 22 '23 at 12:53