Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

authentication upload based on data in the multipart request body

See original GitHub issue

Hi,

I am building a file manager and I need to check if the current user is authorized to upload a new file to a given project, thus I need data on each file upload. I am using flow.js on the client-side and I can send extra data on the request body

var flow = new Flow({
  target: '/api/photo/redeem-upload-token', 
  query: {
    sessionToken: '...',
    projecId: 'huy12387yh1209'
  }
});

The problem is that as the encoding is multipart, the request body is only parsed by multer, and not by any other middleware parser, so that I have no access to the extra data before multer uploading the file.

What is the best way of doing this? Should I send the projectId in an http header?

Thanks in advance

I found a related issue, but it is already closed

Issue Analytics

State:
Created 8 years ago
Comments:6 (2 by maintainers)

Top GitHub Comments

1reaction

LinusUcommented, Nov 22, 2015

http-errors is a great module for constructing errors with a specific status code.

var makeError = require('http-errors')

function fileFilter (req, file, cb) {
  var projectId = req.body. projectId
  var sessionToken = req.body.sessionToken

  if (!sessionCanAccessProject(sessionToken, projectId)) {
    return cb(makeError(403))
  }

  cb(null, true)
}

Note that the above will only work if sessionToken and projectId is sen’t over the wire before the file in question. You might be required to tweak flow to get that to work. The trick is to add the fields before the files to the FormData object.

0reactions

caseThreecommented, Apr 2, 2021

Hey I am still now able to understand what you meant by that.

This is my multer module:

const multer = require('multer');
const path = require('path');

const storage = multer.diskStorage({
  destination: function(req, file, callback) {
    callback(null, path.join(__dirname,'..','/public/images/profile'));
  },
  filename: function (req, file, callback) {
    callback(null, file.originalname);
  }
});

module.exports = multer({
  storage: storage
}).single('pimage');

Now after this, on my route I am doing this,

router.post('/changeProfileImage', async (req, res) => {
    // jwt.validate(req, res, () => console.log("OK working"));
    console.log(req.body);
    try {
        upload(req, res, error => {
            if(error) {
                console.log(req.body);
                console.log("Error uploading file image.", error);
                res.status(200).send("Error uploading profile image.");
            } else {
                console.log(req.file);
                res.send("Great");
            }
        });
    } catch(error) {
        console.log("Error in change profile image post request.", error);
    }
});

I am getting undefined for req.body which is correct as express will not parse multiform data. How can I make this field secure? I am sending an auth token with the name =“token” and value as a jwt object but I am not able to get it in the req.body. I want to upload an image as well as the key value pair for authentication.

PS: The image is uploaded successfully and everything else is working fine.

Top Results From Across the Web

Uploading and copying objects using multipart upload

Multipart upload allows you to upload a single object as a set of parts. Each part is a contiguous portion of the object's...

Multipart Requests - Swagger

Multipart requests combine one or more sets of data into a single body, separated by boundaries. You typically use these requests for file...

How to upload file to server with HTTP POST multipart/form ...

I want to upload SQLite database via PHP web service using HTTP POST request with MIME type multipart/form-data & a string data called...

HMAC authenticated API calls with multipart/form-data file ...

I'm attempting to write a bash script as an example API call using cURL. I already have one that works without file uploads...

File uploads (profile image, simple, resumable uploads)

{rest of bearer token} Content-Type: multipart/form-data; ... uses the legacy ID/Key-based authentication system, then the HTTP request URL will have your ...