Hidden query

Express.js type middleware to hide query parameters from browser urls. Hidden query parameters are still accessible from req.query as normal.

Run-time dependencies

This package needs to be used in conjunction with a session middleware, such as express-session or cookie-session

API

const express = require('express');
const cookieSession = require('cookie-session');
const hiddenQuery = require('@booli/hidden-query');

var app = express()
 
app.use(cookieSession({ /* ... */ }))

app.use(hiddenQuery(
  'foo', 'bar', {
    qux: '/home',
    baz: '/users/:id',
  }
));

Only one instance of the hiddenQuery middleware should handle an incoming request. Avoid combining general rules for all routes with rules for specific routes, as seen in the example below. Currently this type of usage is not supported and might lead to infinite redirects.

// Bad combination

app.use(hiddenQuery('foo', 'bar'));

app.use('/home', hiddenQuery('qux'), (req, res, next) => { /* ... */ });

hiddenQuery(queryKey, queryKey2, ...)

Pass arbitrary number of query keys to hide. The keys can be strings, in which case the corresponding query parameter will be hidden for all requests handled by the middleware, or objects with a key-path pairs, in which case the corresponding query parameter will be hidden if the request url matches the path. When passing objects with key-path pairs, the path matching is done using path-to-regexp, which allows various patterns.

If no query keys are passed, all query parameters will be hidden for all routes handled by the middleware.

Under the hood

On incoming request, query parameters to be hidden are saved to the session and then the browser is redirected with status 302 to the same url without the extracted parameters in the url. On the subsequent redirected request, the parameters from the session are picked up and exposed on the req.query together with query parameters present in the request url.