Home>Article>Web Front-end> How does Node in the Controller layer perform data verification?
[Video tutorial recommendation:node js tutorial]
Humorous back-end programmers usually laugh at themselves as CURD Boy. CURD, which is the addition, deletion, modification and query of a certain storage resource, is completely data-oriented programming.
It’s great. Data-oriented programming often leads to a more thorough understanding of the business, thereby writing higher-quality code and creating fewer bugs. Since it is data-oriented programming, it is even more necessary to avoid the appearance of dirty data and strengthen data verification. Otherwise, should we trust the front-end data verification? After all, the front-end data verification goes directly to the user for more user-friendly feedback at the UI layer.
The backend is divided into various levels due to its emphasis on business logic and various data to be processed. There are many backend projects I have experienced. There are various named layers forController,Service,Model,Helper,Entity, etc. But there must be a layer here calledController, which stands at the top layer of the backend and directly receives the data transmitted by the client.
Since theControllerlayer is the top layer that interacts with client data on the server side, it adheres to the principle ofFail Fastand is responsible for the function of data filter. Illegal data will be sent back directly, as majestic as the door gods Qin Qiong and Yuchi Gong.
Data verification also derives a semi-documented by-product. You only need to take a look at the data verification layer to know which fields are to be transmitted and what formats they are in.
The following are common data verifications. This article describes how to verify them:
const body = { id, name, mobilePhone, email }
The author has come into contact with a system without data verification layer Back-end projects,if/elseare flooded at various levels, which is extremely painful and requires refactoring in minutes.
JSON SchemaBased on JSON for data verification format, with a specificationjson-schema.org, currently (2020 -08) The latest version is 7.0. Various server programming languages have implemented the specifications, such asgo,java,php, etc. Of course, there are also great javascripts, such as tepidajv.
The following is a Schema for verifying user information. It can be seen that the syntax is complex and cumbersome:
{ "$schema": "http://json-schema.org/draft-04/schema#", "title": "User", "description": "用户信息", "type": "object", "properties": { "id": { "description": "用户 ID", "type": "integer" }, "name": { "description": "用户姓名", "type": "string" }, "email": { "description": "用户邮箱", "type": "string", "format": "email", "maxLength": 20 }, "mobilePhone": { "description": "用户手机号", "type": "string", "pattern": "^(?:(?:\+|00)86)?1[3-9]\d{9}$", "maxLength": 15 } }, "required": ["id", "name"] }
For complex data type verification, JSON Schema has the following Format built-in for convenient and quick verification
For mobile phone numbers that are not in the built-in Format, useajv.addFormatto manually add the Format
ajv.addFormat('mobilePhone', (str) => /^(?:(?:\+|00)86)?1[3-9]\d{9}$/.test(str));
#joiclaims to be the most powerful JS verification library and has also gained 16,000 stars on github. Compared with JSON Schema, its syntax is more concise and powerful.
The most powerful data validation library for JS
Complete the same validation, only requires less code, and can complete more powerful validation. The following are only examples, please go to the documentation for more examples.
const schema = Joi.object({ id: Joi.number().required(), name: Joi.number().required(), email: Joi.string().email({ minDomainSegments: 2, tlds: { allow: ['com', 'net'] } }), mobilePhone: Joi.string().pattern(/^(?:(?:\+|00)86)?1[3-9]\d{9}$/), password: Joi.string().pattern(/^[a-zA-Z0-9]{3,30}$/), // 与 password 相同的校验 repeatPassword: Joi.ref('password'), }) // 密码与重复密码需要同时发送 .with('password', 'repeat_password'); // 邮箱与手机号提供一个即可 .xor('email', 'mobilePhone')
Since the data is passed directly from the routing,koajsofficially implemented abased onjoijoi-router, the pre-data is verified to the routing layer, and thequery,bodyandparamspassed from the front end are verified.
joi-routeralso parses and limits variouscontent-typetransmitted by the front end based onco-body. If it is limited toapplication/json, CSRF attacks can also be prevented to a certain extent.
const router = require('koa-joi-router'); const public = router(); public.route({ method: 'post', path: '/signup', validate: { header: joiObject, query: joiObject, params: joiObject, body: joiObject, maxBody: '64kb', output: { '400-600': { body: joiObject } }, type: 'json', failure: 400, continueOnError: false }, pre: async (ctx, next) => { await checkAuth(ctx); return next(); }, handler: async (ctx) => { await createUser(ctx.request.body); ctx.status = 201; }, });
When the author was troubleshooting a performance problem, he discovered that an API actually took too long in the data verification layer, which I had never thought of. The root of the problem lies in unsafe regular expressions. So what are unsafe regular expressions?
For example, the regular expression below that can hang up the CPU is a time bomb, and the number of backtracking has increased exponentially.
可以参考文章 浅析 ReDos 原理与实践
const safe = require('safe-regex') const re = /(x+x+)+y/ // 能跑死 CPU 的一个正则 re.test('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx') // 使用 safe-regex 判断正则是否安全 safe(re) // false
数据校验,针对的大多是字符串校验,也会充斥着各种各样的正则表达式,保证正则表达式的安全相当紧要。safe-regex能够发现哪些不安全的正则表达式。
更多编程相关知识,可访问:编程教学!!
The above is the detailed content of How does Node in the Controller layer perform data verification?. For more information, please follow other related articles on the PHP Chinese website!