angular - 将 Angular HTTP 与 TypeORM 控制器/Nestjs 连接起来——这些工作但安全吗?
问题描述
我对在我的代码中设计安全性感到紧张。我让这段代码正常工作,但它是安全性的最佳选择,还是有更好的方法来进行 CRUD 和查询?我在这里包括完整的 CRUD 和几个查询作为其他人的示例。到目前为止,网络上几乎没有关于 Angular 和 Nestjs / TypeORM 如何结合在一起的内容。对于我们这些刚接触服务器端的人来说,这应该有助于填补这一空白。我喜欢改进和讨论的建议,因为我没有信心我做对了。
下面是 TypeORM 存储库查找选项方法和查询生成器方法。不确定哪个最好或是否重要。
角 httpService.service
// ---- GET all records. ----
public getAllRecords(dbTable: string): Observable<any> {
return this.http
.get<any>(`${this.api}${dbTable}`);
}
// ---- CREATE new record ---
public addRecord(dbTable: string, recordData): Observable<any> {
return this.http
.post(`${this.api}${dbTable}`, recordData, {headers: this.headers});
}
// ---- FETCH record detail for editing or viewing. ----
public getRecordById(dbTable: string, recordId: number): Observable<any> {
return this.http
.get<any>(`${this.api}${dbTable}/${recordId}`);
}
// ---- UPDATES an existing record ----
public updateRecord(dbTable: string, recordId: number, recordUpdate): Observable<any> {
return this.http
.patch(`${this.api}${dbTable}/${recordId}`, recordUpdate, {headers: this.headers});
}
// ---- DELETES a single record. ----
public deleteRecord(dbTable: string, recordId: number): Observable<any> {
return this.http
.delete(`${this.api}${dbTable}?id=${recordId}`, {headers: this.headers});
}
// ---------------- QUERIES ------------------------------
// --------- INCREMENTAL SEARCH --------
// Called by the Mat Data Table filter to search db by user name.
public nameSearch(dbTable, column, terms) {
return terms.pipe(
tap(x => console.log('3 service called')),
debounceTime(300),
distinctUntilChanged(),
switchMap(term => {
console.log('4 term: ', term);
const url = `${this.api}${dbTable}/${column}/${term}`;
return this.http.get(url);
}),
catchError((error: any) => {
console.error(error);
return of();
}),
);
}
// ------------- SEARCH COUNTRIES ---------------------
// Called from main components to search for users by country.
public searchCountries(dbTable, column, country): Observable<any> {
return this.http.get(`${this.api}${dbTable}/${column}/${country}`);
}
TypeORM 和 Nestjs 控制器,api 端点:
@Controller('api/members') // /members route
export class MembersController {
constructor(private readonly membersService: MembersService) {}
/* --------------- CRUD -------------------- */
@Get()
async findAll(): Promise<Members[]> {
return await this.membersService.findAll();
}
@Get('/:id')
async findItem(@Param() recordId): Promise<Members> {
return this.membersService.findItem(recordId.id);
}
@Post() // Adding the dto type to recordData made no difference.
async addItem(@Req() req, @Body() recordData): Promise<Members> {
const result: Members = await this.membersService.addItem(recordData);
if (!result)
throw new HttpException('Error adding new Member', HttpStatus.BAD_REQUEST);
return result;
}
@Patch('/:id')
async updateItem(@Param() recordId: number, @Body() recordUpdate) {
const result = await this.membersService.updateItem(recordId, recordUpdate);
if (!result)
throw new HttpException('Error updating Member', HttpStatus.BAD_REQUEST);
return result;
}
@Delete()
async deleteItem(@Query() recordId) {
return await this.membersService.deleteItem(recordId.id);
}
/* --------------------- QUERIES -------------------- */
// Called from Angular last name search() in http.service. User inputs words by letter to search.
@Get('/last_name/:entry')
public async wordSearch(@Param('entry') entry) {
const result = await this.membersService.wordSearch(entry);
if (!result)
throw new HttpException('Error searching last name', HttpStatus.BAD_REQUEST);
return result;
}
// Called from searchCountries in Angular http.service.
@Get('/country/:country')
public async searchCountries(@Param('country') country) {
const result = this.membersService.searchCountries(country);
if (!result)
throw new HttpException('Error searching last name', HttpStatus.BAD_REQUEST);
return result;
}
}
解决方案
您可能想要验证来自@Param()
和@Body()
参数的任何用户输入。通常,您可以在内部管理一些不应由用户控制的字段。
例如,“已删除”字段或带有一些统计信息的只读字段。
推荐阅读
- azure-cosmosdb - 小写属性名称
- python - 将原始单词添加到回文所需的最少字符数
- firebase - Firebase:重定向后获取路径名
- javascript - 使用 React Api google-map-react 根据半径过滤谷歌地图上的标记
- javascript - 无法删除 Javascript 中的选定文本
- java - Spring Data JPA 时间戳比较
- angular - 对表中所有勾选行的 Angular 6 批量操作
- hadoop - HDFS Audit Logs cmd操作含义
- angular - 在自定义背景事件上关闭 Angular Material 菜单
- hyperledger-composer - Hyperledger Composer:fabric-ca 请求寄存器在机器重启后失败并出现错误