💡 [REQUEST] - Add middleware to do data sanitization against NOSQL query injection and XSS and Implement a global error handling controller

[BiswajitSahoo-tech]

Start Date

09/04/2022

Implementation PR

No response

Reference Issues

No response

Summary

• Want to add some middleware that will prevent cross-site scripting and NoSQL query injection.

• Also want to implement a global error handler, which means after catching errors all over the application we send the error to a global error handler which will decide what to do with it.

Basic Example

Let on user.js we get an error which will go to catch section

e,g

try{
   //......
  }catch( err) {
      next( err) // calling the global err handler
  }

And in index.js we have the global error handler which will be called

index.js

app.use( (err, req, res, next) => {
          res.status( err.statuscode) . json( {
          data: err.message
          })
});

Drawbacks

There is no drawback of adding above features

Unresolved questions

No response

[BiswajitSahoo-tech]

@anomic30 please assign this issue to me
Thanks

[ezehlivinus]

@BiswajitSahoo-tech the error controller should be middleware I suggest.

cc/
@anomic30

[BiswajitSahoo-tech]

@ezehlivinus
Sure, it is actually a middleware, But since we are following the MVC model and errorcontroller decides how error data get displayed, therefore I preferred to keep this file under controller/ dir

[ezehlivinus]

@BiswajitSahoo-tech
The code was written in a controller/ folder...it should be in the middleware.

Controllers are meant to handle HTTP requests...

The error handler should be a middleware not a controller.

Also, in API or microservice, the V in MVC are usually omitted because there is no View in API, especially as there is a dedicated frontend project for the API.

Error handler, and...then the controllers does not determine how errors and responses are displayed, the frontend app determines that. What your API need to do is to return the necessary info needed by the frontend.

Restful API does not follow MVC. However, it has a model, controller, services (service was what @Onesco was naming data-repo.... here) and some other structures.

When building API (a standalone app with coupling frontend into it) MVC is usually not a thing and omitted as a result, but some convention is retained.

API does not have a view (V) because it only returns JSON or another form of data exchange, not a view(HTML page + static files). In some cases, it can have that but rarely. When it has a view it means it would return the result as an HTML page direct to the client, which may not be nice or packaged as an email.