@booli/hidden-query
v1.1.3
Published
Hide specified query paramters
Downloads
11
Keywords
Readme
Hidden query
Express.js type middleware to hide query parameters from browser urls. Hidden query
parameters are still accessible from req.query
as normal.
Run-time dependencies
This package needs to be used in conjunction with a session middleware, such as express-session or cookie-session
API
const express = require('express');
const cookieSession = require('cookie-session');
const hiddenQuery = require('@booli/hidden-query');
var app = express()
app.use(cookieSession({ /* ... */ }))
app.use(hiddenQuery(
'foo', 'bar', {
qux: '/home',
baz: '/users/:id',
}
));
Only one instance of the hiddenQuery middleware should handle an incoming request. Avoid combining general rules for all routes with rules for specific routes, as seen in the example below. Currently this type of usage is not supported and might lead to infinite redirects.
// Bad combination
app.use(hiddenQuery('foo', 'bar'));
app.use('/home', hiddenQuery('qux'), (req, res, next) => { /* ... */ });
hiddenQuery(queryKey, queryKey2, ...)
Pass arbitrary number of query keys to hide. The keys can be strings, in which case the corresponding query parameter will be hidden for all requests handled by the middleware, or objects with a key-path pairs, in which case the corresponding query parameter will be hidden if the request url matches the path. When passing objects with key-path pairs, the path matching is done using path-to-regexp, which allows various patterns.
If no query keys are passed, all query parameters will be hidden for all routes handled by the middleware.
Under the hood
On incoming request, query parameters to be hidden are saved to the session and then the browser is
redirected with status 302
to the same url without the extracted parameters in the url. On the subsequent
redirected request, the parameters from the session are picked up and exposed on the req.query
together with
query parameters present in the request url.