时间戳

首页 > 解决方案 > 将 Angular HTTP 与 TypeORM 控制器/Nestjs 连接起来——这些工作但安全吗?

angular - 将 Angular HTTP 与 TypeORM 控制器/Nestjs 连接起来——这些工作但安全吗?

问题描述

我对在我的代码中设计安全性感到紧张。我让这段代码正常工作,但它是安全性的最佳选择,还是有更好的方法来进行 CRUD 和查询?我在这里包括完整的 CRUD 和几个查询作为其他人的示例。到目前为止,网络上几乎没有关于 Angular 和 Nestjs / TypeORM 如何结合在一起的内容。对于我们这些刚接触服务器端的人来说,这应该有助于填补这一空白。我喜欢改进和讨论的建议,因为我没有信心我做对了。

下面是 TypeORM 存储库查找选项方法和查询生成器方法。不确定哪个最好或是否重要。

角 httpService.service

// ---- GET all records. ----

  public getAllRecords(dbTable: string): Observable<any> {
    return this.http
      .get<any>(`${this.api}${dbTable}`);
  }


// ---- CREATE new record ---

  public addRecord(dbTable: string, recordData):  Observable<any> {
    return this.http
      .post(`${this.api}${dbTable}`, recordData, {headers: this.headers});
  }


// ---- FETCH record detail for editing or viewing. ----

  public getRecordById(dbTable: string, recordId: number): Observable<any> {
    return this.http
      .get<any>(`${this.api}${dbTable}/${recordId}`);
  }


// ---- UPDATES an existing record ----

  public updateRecord(dbTable: string, recordId: number, recordUpdate): Observable<any> {
    return this.http
      .patch(`${this.api}${dbTable}/${recordId}`, recordUpdate, {headers: this.headers});
  }


// ---- DELETES a single record. ----

  public deleteRecord(dbTable: string, recordId: number):  Observable<any> {
    return this.http
      .delete(`${this.api}${dbTable}?id=${recordId}`, {headers: this.headers});
  }


  // ---------------- QUERIES ------------------------------



  // --------- INCREMENTAL SEARCH --------

  //  Called by the Mat Data Table filter to search db by user name.
  public nameSearch(dbTable, column, terms) {
    return terms.pipe(
      tap(x => console.log('3 service called')),
      debounceTime(300),
      distinctUntilChanged(),
      switchMap(term => {
        console.log('4 term: ', term);
        const url = `${this.api}${dbTable}/${column}/${term}`;
        return this.http.get(url);
      }),
      catchError((error: any) => {
        console.error(error);
        return of();
      }),
    );
  }


  // ------------- SEARCH COUNTRIES ---------------------
  //  Called from main components to search for users by country.

  public searchCountries(dbTable, column, country): Observable<any> {
    return this.http.get(`${this.api}${dbTable}/${column}/${country}`);
  }

TypeORM 和 Nestjs 控制器,api 端点:

@Controller('api/members')  // /members route
export class MembersController {
  constructor(private readonly membersService: MembersService) {}


  /* --------------- CRUD -------------------- */


  @Get()
  async findAll(): Promise<Members[]> {
    return await this.membersService.findAll();
  }

  @Get('/:id')
  async findItem(@Param() recordId): Promise<Members> {
    return this.membersService.findItem(recordId.id);
  }

  @Post()  // Adding the dto type to recordData made no difference.
  async addItem(@Req() req, @Body() recordData): Promise<Members> {

    const result: Members = await this.membersService.addItem(recordData);
    if (!result)
      throw new HttpException('Error adding new Member', HttpStatus.BAD_REQUEST);
    return result;
  }

  @Patch('/:id')
  async updateItem(@Param() recordId: number, @Body() recordUpdate) {
    const result = await this.membersService.updateItem(recordId, recordUpdate);
    if (!result)
      throw new HttpException('Error updating Member', HttpStatus.BAD_REQUEST);
    return result;
  }

  @Delete()
  async deleteItem(@Query() recordId) {
    return await this.membersService.deleteItem(recordId.id);
  }



  /* ---------------------  QUERIES -------------------- */


  // Called from Angular last name search() in http.service. User inputs words by letter to search.

  @Get('/last_name/:entry')
  public async wordSearch(@Param('entry') entry) {
    const result = await this.membersService.wordSearch(entry);
    if (!result)
      throw new HttpException('Error searching last name', HttpStatus.BAD_REQUEST);
    return result;
  }


  // Called from searchCountries in Angular http.service.
  @Get('/country/:country')
  public async searchCountries(@Param('country') country) {
    const result = this.membersService.searchCountries(country);
    if (!result)
      throw new HttpException('Error searching last name', HttpStatus.BAD_REQUEST);
    return result;
  }
}

标签: angulartypeormnestjs

解决方案

您可能想要验证来自@Param()@Body()参数的任何用户输入。通常,您可以在内部管理一些不应由用户控制的字段。

例如,“已删除”字段或带有一些统计信息的只读字段。

看看class-transformerclass-validator

推荐阅读