Server-side Form Handling

• Application Framework using Express
• Templated Rendering using ExpressHandlerbars

• Retrieval of Request Parameters
• Input Validations
• Output Formats (HTML/JSON/XML)
• Output Sanitizations (to be detailed next week)

• Model best for slow/blocking (network) I/Os, now asynchronously handled
• Benefits and Concepts covered in last lecture and reading
• Resource efficient. Can easily scale up with Amazon Beanstalk
• Unlike optionally async with a library (e.g., Twisted in Python)

• Developer-friendly to JS/AJAX folks

• JIT Compilation: Compiled to binary, and runs like executable
• Memory more efficient and Faster than vanilla PHP (FB made HipHop VM)

• Yahoo, Paypal, Walmart, Rakuten, Groupon, LinkedIn, Microsoft, etc.

• Built-in HTTP library, doing away with Apache/IIS/Nginx

var http = require('http');
http.createServer(function (req, res) {
  res.writeHead(200, {'Content-Type': 'text/html'});
  res.end('<h1>Hello World</h1>');
}).listen(3000, "localhost");

$ node server.js

• Create a HTTP server binded to port 3000 of localhost
• Execute the callback per request

• A specification standard of (dev)dependencies
  
  devDependencies refers to those needed only during development but not runtime
  - NPM: package.json specifies the required packages
• A repository to host packages published by developers
  - NPM: https://www.npmjs.com/
• A CLI toolset to recursively install/manage required dependencies and versions
  - NPM: npm install looks for ./package.json, and recursively installs all dependency packages
  

  - NPM: npm install <packageName> --save downloads packageName and marks it dependent in your package.json
  - NPM: npm install <packageName> --save-dev downloads packageName and marks it devDependent in your package.json

• 25 min. Get prepared with your laptop
• Some walkthroughs and demonstrations
• Teaching teams then workaround to help

• Prerequisite:
  install Node.js and init a new project
• Install dependencies:
  npm install express body-parser express-handlebars --save
• Sample code using ExpressHandlebars

exports.hello = function () { console.log('hello') };

var ierg4210 = require('./lib/ierg4210-static');
ierg4210.hello();

module.exports = function Person(name) {this.name = name;}
Person.prototype.getName = function() {return this.name;}; 

var Person = require('./lib/ierg4210-object');
var peter = new Person('Peter', 'M');
peter.getName();

• // for parsing application/x-www-form-urlencoded
  var bodyParser = require('body-parser');
  app.use(bodyParser.urlencoded({extended:true}));
  
  app.use('/process/:action(\w*)', function(req, res){
    // refers to params named "action" (e.g., /process/abc)
    console.log('params: ' + req.params.action);
    // refers to query string named "q" (e.g., /process?q=abc)
    console.log('query: ' + req.query.q);
    // refers to POST parameter named "q"
    console.log('post: ' + req.body.q);
    res.writeHead(200, {'Content-Type': 'text/html'});
    res.end('<h1>Hello World!</h1>');
  });
  

Ref: Express API

• Unexpected user inputs could lead to unauthorized executions
• Input validation problems ranked constantly high in 2007, 2010, 2013
  by OWASP Top 10 Application Security Risks
• In 2013, those include: A1 Injection, A3 Cross-site Scripting, A4 Insecure Direct Object References

• Input Validations - pattern restrictions
  • blacklist malicious patterns: harder to sort out what's bad
  • whitelist acceptable patterns: easier to pin down the allowed space, hence whitelist whenever possible
• Input Sanitizations/Encoding - escape sensitive chars. to stop executions
  • Type casting: untrusted = parseInt(untrusted) enforces an integer in JavaScript
  • Escape characters: prevent SQL injection (to be covered)

app.use('/process', function(req, res){
  res.writeHead(200, {'Content-Type': 'text/html'});

  // input validation
  var InputRegExp = /^\w+$/;
  if (![req.body.firstname, req.body.lastname]
       .every(function(input){return InputRegExp.test(input);})) {
    res.end('Incorrect Inputs');
    return;
  }
  // input sanitization
  req.body.age = parseInt(req.body.age);
  

  // further processing only after proper validations and sanitizations
  res.end('<h1>Hello, ' + req.body.firstname + req.body.lastname + ' </h1>');
});

var app = require('express')(),
  bodyParser = require('body-parser'),
  expressValidator = require('express-validator');

app.use(bodyParser.urlencoded({extended:true}));
app.use(expressValidator());

app.use('/process', function(req, res){
  res.writeHead(200, {'Content-Type': 'text/html'});

  // input validation
  req.checkBody('firstname', 'Invalid first name').notEmpty().isAlphanumeric();
  req.checkBody('lastname', 'Invalid last name').notEmpty().isAlphanumeric();
  // input sanitization
  req.sanitize('age').toInt();
  var errors = req.validationErrors();
  if (errors) {
    res.send('Errors: ' + JSON.stringify(errors), 400);
    return;
  }
  // further processing only after proper validations and sanitizations
  res.end('<h1>Hello, ' + req.body.firstname + req.body.lastname + ' </h1>');
});

• server-side for security enforcement
• client-side for user experience enhancement
• Reason: client validation code is shipped to client, which can freely be manipulated and bypassed at browsers, while server logic is hidden from clients and will send only the resulted HTML. The computation integrity of validations can thus be protected.

• Keep server- and client-side input validations as consistent as possible!!
• Intrinsic advantage of Node.js: code/pattern reuse across client- and server-side

• Response size too bulky (bandwidth, latency)
• Take server resources for data binding with templates

• Compact in response size. Fast JSON parser.
• Facilitate shifting data binding and UI work to client-side

• As bulky as HTML. Slower than JSON parser
• Used in legacy web services supporting SOAP

• Lecture Notes in 2012