I use Vue on the front. There, I set up a vue-router to give the relevant pages for specific requests. On the back, I use node / express. The question is: when I write the full path to a component in the address bar, it gives the page and everything is ok, but if I specify the URL there, which I use as an endpoint in any of the get requests of my api, for example router.get('/users', (req, res) => {res.send(users)}) , then it gives JSON with all users from the database. But this is not normal, there is email, names, etc. The password is of course hashed, but nonetheless. How to avoid it? A piece of my app.js node:

 const routes = require("./routes"); app.use("/", routes); app.use(history({ verbose: true, index: '/' })); app.get("/", function(req, res, next) { if(checkRoutes(req.originalUrl)) { res.sendFile(__dirname + '/dist/index.html'); } });

Here checkRoutes (url) checks for the presence of such a route in the vue-router.

  • Use authorization to verify, add permissions. As the simplest solution, you can use post requests instead of get, and for get get an error. - Idushii
  • And how do I get the necessary data using a POST request? - Daniyal Lukmanov

1 answer 1

app.post("/users", callback) on the server, post request on the client. But generally I advise you to set up authorization

  • So kind of authorization is configured. But how to bind it to requests for api directly in the browser? - Daniyal Lukmanov
  • If you use a token to verify authorization, then it is worth checking it, if you are using sessions, then sessionID, or something else. And without him send an error - Idushii
  • Returning from a hashed password. In theory, it does not need to pass. If you need to change it somehow, then use separate methods for this. And in no case do not send it somewhere else, just a comparison on the server. - Idushii
  • Suppose I logged in. I went to the admin panel and work there. I click on the button to see users / documents, etc. When this is done, a get-request is sent to the server. Send a token with a het request? Like query, for example? - Daniyal Lukmanov
  • If you carefully look at the headers of what is sent in the request, you will see that there is a lot of additional information. If everything is set up well, then authorization information will be given to it there, and this information can be checked on the server. If it is not transferred there, it turns out that any person who knows the end point of your application can get information from the database at any time, even without authorization. - Idushii