Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:01,210 --> 00:00:04,340
Welcome to the last video of this section.
2
00:00:04,340 --> 00:00:05,610
And in this one, we're gonna be
3
00:00:05,610 --> 00:00:07,880
preventing parameter pollution,
4
00:00:07,880 --> 00:00:10,593
using yet another NPM package.
5
00:00:12,270 --> 00:00:15,400
But before installing that package, let's go ahead
6
00:00:15,400 --> 00:00:17,780
and take a look at the error.
7
00:00:17,780 --> 00:00:20,820
But before doing that, let's head over to Postman
8
00:00:20,820 --> 00:00:22,290
and see why we actually need
9
00:00:22,290 --> 00:00:25,363
to prevent parameter pollution in the first place.
10
00:00:27,410 --> 00:00:30,993
So, first up, we need to log in.
11
00:00:32,240 --> 00:00:35,590
Okay, so, with this user and this password.
12
00:00:35,590 --> 00:00:39,290
So now we can use the Get All Tours route.
13
00:00:39,290 --> 00:00:41,570
All right, and so what I'm gonna do now here
14
00:00:41,570 --> 00:00:45,140
is to add some parameters to the query string.
15
00:00:45,140 --> 00:00:49,443
So let's see, I want to sort by duration,
16
00:00:52,830 --> 00:00:57,233
and at the same time, I also want to sort by price.
17
00:00:58,110 --> 00:01:01,140
And it doesn't actually make much sense right
18
00:01:01,140 --> 00:01:05,099
because we're prepared to only have one sort parameter.
19
00:01:05,099 --> 00:01:08,310
So let's see what we actually get with this.
20
00:01:08,310 --> 00:01:11,849
And indeed we get an error saying that this
21
00:01:11,849 --> 00:01:15,890
.querystring.sort.split is not a function.
22
00:01:15,890 --> 00:01:20,890
And so that's happening in the apiFeatures.js in line 23.
23
00:01:22,550 --> 00:01:23,800
So let's open that
24
00:01:26,560 --> 00:01:31,560
and so here, on line 23 is where that error occurs.
25
00:01:32,520 --> 00:01:35,710
So it's trying to split the sort property here,
26
00:01:35,710 --> 00:01:37,930
which we expect to be a string.
27
00:01:37,930 --> 00:01:41,110
But right now since we defined it twice,
28
00:01:41,110 --> 00:01:44,510
so sort once and then sort twice, express will actually
29
00:01:44,510 --> 00:01:48,423
create an array with these two values, duration and price.
30
00:01:49,610 --> 00:01:51,713
Let me actually show that to you.
31
00:01:54,320 --> 00:01:55,800
Console.log.
32
00:01:55,800 --> 00:01:57,053
Now I'm copying it.
33
00:02:01,660 --> 00:02:03,323
Okay, try it again.
34
00:02:04,210 --> 00:02:07,490
Here's the same error and as I said it is actually
35
00:02:07,490 --> 00:02:10,539
an array with duration and price.
36
00:02:10,539 --> 00:02:12,520
And so that of course, we cannot split
37
00:02:12,520 --> 00:02:16,370
because split only works on strings, okay?
38
00:02:16,370 --> 00:02:19,850
And so this is a typical problem which attackers
39
00:02:19,850 --> 00:02:21,920
can then make use of.
40
00:02:21,920 --> 00:02:24,480
All right, and so basically we're now going to use
41
00:02:24,480 --> 00:02:26,290
a middleware which will simply
42
00:02:26,290 --> 00:02:30,930
remove these duplicate fields, okay?
43
00:02:30,930 --> 00:02:33,470
And that one, let's install it.
44
00:02:33,470 --> 00:02:38,200
It is called HPP which stands for
45
00:02:38,200 --> 00:02:40,393
HTTP Parameter pollution.
46
00:02:42,080 --> 00:02:42,913
All right.
47
00:02:45,700 --> 00:02:47,883
Let's quickly require it here.
48
00:02:55,810 --> 00:03:00,550
All right, and so, this is yet another very simple one.
49
00:03:00,550 --> 00:03:05,263
All we need to do is app.use and then call HPP.
50
00:03:06,710 --> 00:03:10,750
So, prevent parameter pollution.
51
00:03:12,750 --> 00:03:15,910
And this one again should be used here by the end, okay,
52
00:03:15,910 --> 00:03:18,120
because what it does is to clear up
53
00:03:18,120 --> 00:03:20,470
the query string, all right?
54
00:03:20,470 --> 00:03:22,003
So let's try that again.
55
00:03:24,050 --> 00:03:26,690
It's taking a bit of time, and here we go.
56
00:03:26,690 --> 00:03:28,080
So the error is gone
57
00:03:28,080 --> 00:03:31,120
and so now it's only using the last one.
58
00:03:31,120 --> 00:03:34,930
So it's sorting my price now and indeed we start
59
00:03:34,930 --> 00:03:38,760
with the lowest one and then moving up 497,
60
00:03:38,760 --> 00:03:40,860
all the way to the most expensive one
61
00:03:40,860 --> 00:03:44,423
of almost 3000, all right?
62
00:03:45,380 --> 00:03:48,260
So that's kind of fixed but we actually want
63
00:03:48,260 --> 00:03:52,800
some duplicate properties or fields in some cases, right?
64
00:03:52,800 --> 00:03:55,690
For example we might want to search for tours
65
00:03:55,690 --> 00:03:57,913
with the duration of nine and five.
66
00:04:01,690 --> 00:04:04,960
So remember that in our API, we can do this,
67
00:04:04,960 --> 00:04:08,283
so duration equals five, and we can say,
68
00:04:09,670 --> 00:04:13,980
at the same time, duration nine, okay?
69
00:04:13,980 --> 00:04:17,740
And we want this actually to work but right now it doesn't.
70
00:04:17,740 --> 00:04:22,010
It only finds the tour with nine days, right?
71
00:04:22,010 --> 00:04:24,823
But if we hadn't, or HPP middleware.
72
00:04:26,000 --> 00:04:28,253
So let's deactivate it.
73
00:04:29,130 --> 00:04:31,130
So if we didn't have it active,
74
00:04:31,130 --> 00:04:35,130
then we would find three tours, one with duration five,
75
00:04:35,130 --> 00:04:37,000
then here with duration nine
76
00:04:37,000 --> 00:04:39,300
and here another one with duration five.
77
00:04:39,300 --> 00:04:40,930
Okay, and so in this case,
78
00:04:40,930 --> 00:04:43,890
this is actually the expected behavior.
79
00:04:43,890 --> 00:04:45,800
So what we can do in order to be able
80
00:04:45,800 --> 00:04:48,463
to use the middleware but still get this result
81
00:04:48,463 --> 00:04:51,670
that we expect here, with the duration,
82
00:04:51,670 --> 00:04:55,770
we can white list some parameters, okay?
83
00:04:55,770 --> 00:05:00,770
So into this HPP function, we can once more pass
84
00:05:01,050 --> 00:05:05,543
an object and then in there, specify the white list, okay?
85
00:05:06,560 --> 00:05:10,690
And the white list is simply an array of properties
86
00:05:10,690 --> 00:05:14,213
for which we actually allow duplicates in the query string.
87
00:05:15,990 --> 00:05:16,823
Okay?
88
00:05:16,823 --> 00:05:20,943
And to duration is of course one of them, all right?
89
00:05:22,070 --> 00:05:23,543
So, let's try that again.
90
00:05:26,292 --> 00:05:30,890
And so, right now we still get our three results as before.
91
00:05:30,890 --> 00:05:33,480
But if we tried it with sort,
92
00:05:33,480 --> 00:05:35,483
and let's create a new tab here.
93
00:05:40,990 --> 00:05:43,453
So if we tried it with these double sorts,
94
00:05:44,350 --> 00:05:46,730
then we should also get no error.
95
00:05:46,730 --> 00:05:48,183
Well now were not logged in,
96
00:05:49,295 --> 00:05:54,295
so let's just get our error token here.
97
00:05:54,400 --> 00:05:55,650
Try that again.
98
00:05:55,650 --> 00:05:58,870
And now indeed it works, we get no error.
99
00:05:58,870 --> 00:06:02,713
And so that HPP middleware is doing it's job.
100
00:06:04,100 --> 00:06:05,680
All right?
101
00:06:05,680 --> 00:06:09,110
Also close up this one, and now we should also
102
00:06:09,110 --> 00:06:12,450
specify some other fields in our white list,
103
00:06:12,450 --> 00:06:16,250
because for example we want to search for this one as well,
104
00:06:16,250 --> 00:06:18,130
or the ratings quantity.
105
00:06:18,130 --> 00:06:21,863
And so let's just copy all of them here into our white list.
106
00:06:28,940 --> 00:06:30,423
So the average as well.
107
00:06:35,210 --> 00:06:38,700
Then also duration we already have,
108
00:06:38,700 --> 00:06:40,403
and let's say max group size.
109
00:06:46,680 --> 00:06:48,983
We might also want the difficulty.
110
00:06:54,920 --> 00:06:56,070
And also the price.
111
00:06:56,070 --> 00:06:58,773
And I think that should then be enough.
112
00:07:03,370 --> 00:07:04,223
All right.
113
00:07:05,950 --> 00:07:09,540
And it might seem a bit weird to basically manually
114
00:07:09,540 --> 00:07:12,350
put all the field names here and later we might
115
00:07:12,350 --> 00:07:15,410
have to do the same thing for the other resources,
116
00:07:15,410 --> 00:07:19,010
and that will then make this white list even bigger, right?
117
00:07:19,010 --> 00:07:21,860
And of course we could do some complex stuff
118
00:07:21,860 --> 00:07:23,930
here in order to get these field names
119
00:07:23,930 --> 00:07:26,690
from the model itself, but once more,
120
00:07:26,690 --> 00:07:28,980
I just want to keep it simple here, okay?
121
00:07:28,980 --> 00:07:32,160
And so I'm just manually defining these field names here
122
00:07:32,160 --> 00:07:34,900
and then call it a day, all right?
123
00:07:34,900 --> 00:07:38,620
Okay, and that actually wraps up our authentication,
124
00:07:38,620 --> 00:07:41,590
authorization and security section.
125
00:07:41,590 --> 00:07:44,620
And if you wanna have some more fun with it, then of course,
126
00:07:44,620 --> 00:07:46,730
you can try to implement some of the stuff
127
00:07:46,730 --> 00:07:49,213
that I suggested in that summary video
128
00:07:49,213 --> 00:07:51,260
that I showed you before with that slide
129
00:07:51,260 --> 00:07:53,160
with all these different security measures
130
00:07:53,160 --> 00:07:55,530
that we already implemented and some of which
131
00:07:55,530 --> 00:07:57,970
I told you to experiment with.
132
00:07:57,970 --> 00:08:00,700
So feel free to do that, or if not,
133
00:08:00,700 --> 00:08:04,330
well then let's just together move on to the next section
134
00:08:04,330 --> 00:08:06,750
which is gonna be a really exciting one again
135
00:08:06,750 --> 00:08:09,800
because we will then really start modeling the data
136
00:08:09,800 --> 00:08:12,920
and learn some more really advanced MongoDB stuff.
137
00:08:12,920 --> 00:08:14,763
So I can't wait to see you there.
10743
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.