Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:01,210 --> 00:00:04,340 Welcome to the last video of this section. 2 00:00:04,340 --> 00:00:05,610 And in this one, we're gonna be 3 00:00:05,610 --> 00:00:07,880 preventing parameter pollution, 4 00:00:07,880 --> 00:00:10,593 using yet another NPM package. 5 00:00:12,270 --> 00:00:15,400 But before installing that package, let's go ahead 6 00:00:15,400 --> 00:00:17,780 and take a look at the error. 7 00:00:17,780 --> 00:00:20,820 But before doing that, let's head over to Postman 8 00:00:20,820 --> 00:00:22,290 and see why we actually need 9 00:00:22,290 --> 00:00:25,363 to prevent parameter pollution in the first place. 10 00:00:27,410 --> 00:00:30,993 So, first up, we need to log in. 11 00:00:32,240 --> 00:00:35,590 Okay, so, with this user and this password. 12 00:00:35,590 --> 00:00:39,290 So now we can use the Get All Tours route. 13 00:00:39,290 --> 00:00:41,570 All right, and so what I'm gonna do now here 14 00:00:41,570 --> 00:00:45,140 is to add some parameters to the query string. 15 00:00:45,140 --> 00:00:49,443 So let's see, I want to sort by duration, 16 00:00:52,830 --> 00:00:57,233 and at the same time, I also want to sort by price. 17 00:00:58,110 --> 00:01:01,140 And it doesn't actually make much sense right 18 00:01:01,140 --> 00:01:05,099 because we're prepared to only have one sort parameter. 19 00:01:05,099 --> 00:01:08,310 So let's see what we actually get with this. 20 00:01:08,310 --> 00:01:11,849 And indeed we get an error saying that this 21 00:01:11,849 --> 00:01:15,890 .querystring.sort.split is not a function. 22 00:01:15,890 --> 00:01:20,890 And so that's happening in the apiFeatures.js in line 23. 23 00:01:22,550 --> 00:01:23,800 So let's open that 24 00:01:26,560 --> 00:01:31,560 and so here, on line 23 is where that error occurs. 25 00:01:32,520 --> 00:01:35,710 So it's trying to split the sort property here, 26 00:01:35,710 --> 00:01:37,930 which we expect to be a string. 27 00:01:37,930 --> 00:01:41,110 But right now since we defined it twice, 28 00:01:41,110 --> 00:01:44,510 so sort once and then sort twice, express will actually 29 00:01:44,510 --> 00:01:48,423 create an array with these two values, duration and price. 30 00:01:49,610 --> 00:01:51,713 Let me actually show that to you. 31 00:01:54,320 --> 00:01:55,800 Console.log. 32 00:01:55,800 --> 00:01:57,053 Now I'm copying it. 33 00:02:01,660 --> 00:02:03,323 Okay, try it again. 34 00:02:04,210 --> 00:02:07,490 Here's the same error and as I said it is actually 35 00:02:07,490 --> 00:02:10,539 an array with duration and price. 36 00:02:10,539 --> 00:02:12,520 And so that of course, we cannot split 37 00:02:12,520 --> 00:02:16,370 because split only works on strings, okay? 38 00:02:16,370 --> 00:02:19,850 And so this is a typical problem which attackers 39 00:02:19,850 --> 00:02:21,920 can then make use of. 40 00:02:21,920 --> 00:02:24,480 All right, and so basically we're now going to use 41 00:02:24,480 --> 00:02:26,290 a middleware which will simply 42 00:02:26,290 --> 00:02:30,930 remove these duplicate fields, okay? 43 00:02:30,930 --> 00:02:33,470 And that one, let's install it. 44 00:02:33,470 --> 00:02:38,200 It is called HPP which stands for 45 00:02:38,200 --> 00:02:40,393 HTTP Parameter pollution. 46 00:02:42,080 --> 00:02:42,913 All right. 47 00:02:45,700 --> 00:02:47,883 Let's quickly require it here. 48 00:02:55,810 --> 00:03:00,550 All right, and so, this is yet another very simple one. 49 00:03:00,550 --> 00:03:05,263 All we need to do is app.use and then call HPP. 50 00:03:06,710 --> 00:03:10,750 So, prevent parameter pollution. 51 00:03:12,750 --> 00:03:15,910 And this one again should be used here by the end, okay, 52 00:03:15,910 --> 00:03:18,120 because what it does is to clear up 53 00:03:18,120 --> 00:03:20,470 the query string, all right? 54 00:03:20,470 --> 00:03:22,003 So let's try that again. 55 00:03:24,050 --> 00:03:26,690 It's taking a bit of time, and here we go. 56 00:03:26,690 --> 00:03:28,080 So the error is gone 57 00:03:28,080 --> 00:03:31,120 and so now it's only using the last one. 58 00:03:31,120 --> 00:03:34,930 So it's sorting my price now and indeed we start 59 00:03:34,930 --> 00:03:38,760 with the lowest one and then moving up 497, 60 00:03:38,760 --> 00:03:40,860 all the way to the most expensive one 61 00:03:40,860 --> 00:03:44,423 of almost 3000, all right? 62 00:03:45,380 --> 00:03:48,260 So that's kind of fixed but we actually want 63 00:03:48,260 --> 00:03:52,800 some duplicate properties or fields in some cases, right? 64 00:03:52,800 --> 00:03:55,690 For example we might want to search for tours 65 00:03:55,690 --> 00:03:57,913 with the duration of nine and five. 66 00:04:01,690 --> 00:04:04,960 So remember that in our API, we can do this, 67 00:04:04,960 --> 00:04:08,283 so duration equals five, and we can say, 68 00:04:09,670 --> 00:04:13,980 at the same time, duration nine, okay? 69 00:04:13,980 --> 00:04:17,740 And we want this actually to work but right now it doesn't. 70 00:04:17,740 --> 00:04:22,010 It only finds the tour with nine days, right? 71 00:04:22,010 --> 00:04:24,823 But if we hadn't, or HPP middleware. 72 00:04:26,000 --> 00:04:28,253 So let's deactivate it. 73 00:04:29,130 --> 00:04:31,130 So if we didn't have it active, 74 00:04:31,130 --> 00:04:35,130 then we would find three tours, one with duration five, 75 00:04:35,130 --> 00:04:37,000 then here with duration nine 76 00:04:37,000 --> 00:04:39,300 and here another one with duration five. 77 00:04:39,300 --> 00:04:40,930 Okay, and so in this case, 78 00:04:40,930 --> 00:04:43,890 this is actually the expected behavior. 79 00:04:43,890 --> 00:04:45,800 So what we can do in order to be able 80 00:04:45,800 --> 00:04:48,463 to use the middleware but still get this result 81 00:04:48,463 --> 00:04:51,670 that we expect here, with the duration, 82 00:04:51,670 --> 00:04:55,770 we can white list some parameters, okay? 83 00:04:55,770 --> 00:05:00,770 So into this HPP function, we can once more pass 84 00:05:01,050 --> 00:05:05,543 an object and then in there, specify the white list, okay? 85 00:05:06,560 --> 00:05:10,690 And the white list is simply an array of properties 86 00:05:10,690 --> 00:05:14,213 for which we actually allow duplicates in the query string. 87 00:05:15,990 --> 00:05:16,823 Okay? 88 00:05:16,823 --> 00:05:20,943 And to duration is of course one of them, all right? 89 00:05:22,070 --> 00:05:23,543 So, let's try that again. 90 00:05:26,292 --> 00:05:30,890 And so, right now we still get our three results as before. 91 00:05:30,890 --> 00:05:33,480 But if we tried it with sort, 92 00:05:33,480 --> 00:05:35,483 and let's create a new tab here. 93 00:05:40,990 --> 00:05:43,453 So if we tried it with these double sorts, 94 00:05:44,350 --> 00:05:46,730 then we should also get no error. 95 00:05:46,730 --> 00:05:48,183 Well now were not logged in, 96 00:05:49,295 --> 00:05:54,295 so let's just get our error token here. 97 00:05:54,400 --> 00:05:55,650 Try that again. 98 00:05:55,650 --> 00:05:58,870 And now indeed it works, we get no error. 99 00:05:58,870 --> 00:06:02,713 And so that HPP middleware is doing it's job. 100 00:06:04,100 --> 00:06:05,680 All right? 101 00:06:05,680 --> 00:06:09,110 Also close up this one, and now we should also 102 00:06:09,110 --> 00:06:12,450 specify some other fields in our white list, 103 00:06:12,450 --> 00:06:16,250 because for example we want to search for this one as well, 104 00:06:16,250 --> 00:06:18,130 or the ratings quantity. 105 00:06:18,130 --> 00:06:21,863 And so let's just copy all of them here into our white list. 106 00:06:28,940 --> 00:06:30,423 So the average as well. 107 00:06:35,210 --> 00:06:38,700 Then also duration we already have, 108 00:06:38,700 --> 00:06:40,403 and let's say max group size. 109 00:06:46,680 --> 00:06:48,983 We might also want the difficulty. 110 00:06:54,920 --> 00:06:56,070 And also the price. 111 00:06:56,070 --> 00:06:58,773 And I think that should then be enough. 112 00:07:03,370 --> 00:07:04,223 All right. 113 00:07:05,950 --> 00:07:09,540 And it might seem a bit weird to basically manually 114 00:07:09,540 --> 00:07:12,350 put all the field names here and later we might 115 00:07:12,350 --> 00:07:15,410 have to do the same thing for the other resources, 116 00:07:15,410 --> 00:07:19,010 and that will then make this white list even bigger, right? 117 00:07:19,010 --> 00:07:21,860 And of course we could do some complex stuff 118 00:07:21,860 --> 00:07:23,930 here in order to get these field names 119 00:07:23,930 --> 00:07:26,690 from the model itself, but once more, 120 00:07:26,690 --> 00:07:28,980 I just want to keep it simple here, okay? 121 00:07:28,980 --> 00:07:32,160 And so I'm just manually defining these field names here 122 00:07:32,160 --> 00:07:34,900 and then call it a day, all right? 123 00:07:34,900 --> 00:07:38,620 Okay, and that actually wraps up our authentication, 124 00:07:38,620 --> 00:07:41,590 authorization and security section. 125 00:07:41,590 --> 00:07:44,620 And if you wanna have some more fun with it, then of course, 126 00:07:44,620 --> 00:07:46,730 you can try to implement some of the stuff 127 00:07:46,730 --> 00:07:49,213 that I suggested in that summary video 128 00:07:49,213 --> 00:07:51,260 that I showed you before with that slide 129 00:07:51,260 --> 00:07:53,160 with all these different security measures 130 00:07:53,160 --> 00:07:55,530 that we already implemented and some of which 131 00:07:55,530 --> 00:07:57,970 I told you to experiment with. 132 00:07:57,970 --> 00:08:00,700 So feel free to do that, or if not, 133 00:08:00,700 --> 00:08:04,330 well then let's just together move on to the next section 134 00:08:04,330 --> 00:08:06,750 which is gonna be a really exciting one again 135 00:08:06,750 --> 00:08:09,800 because we will then really start modeling the data 136 00:08:09,800 --> 00:08:12,920 and learn some more really advanced MongoDB stuff. 137 00:08:12,920 --> 00:08:14,763 So I can't wait to see you there. 10743