sails: disable `blueprints actions` in production, since it creates a huge security footprint?

主宰稳场 提交于 2021-02-08 06:55:20

问题


Getting acquinted with Sails for Node.

One thing I need to get used to is the 'automagic' way in which routes for controller-methods are set-up using blueprints.

For example, from the docs, if actions-blueprints are enabled (which they are by default) GET, POST, PUT, and DELETE routes will be generated for every one of a controller's actions.

E.g from the docs, when you've got controlled-method EmailController.send the following routes are created:

     * `EmailController.send`
     * :::::::::::::::::::::::::::::::::::::::::::::::::::::::
     * `GET     /email/send/:id?`
     * `POST    /email/send/:id?`
     * `PUT     /email/send/:id?`
     * `DELETE  /email/send/:id?`

The docs specifically state: actions are enabled by default, and are OK for production-- however, you must take great care not to inadvertently expose unsafe controller logic to GET requests.

Normally I would write a controller-method for ONE specific HTTP Verb (e.g.: POST). That's clearly not compatible with this automagic wiring, since these methods would be exposed on GETs (and PUTs and DELETEs) as well, which would leave a huge security footprint imho.

So: what's the practical use of enabling these actions? To me, it seems like a huge security risk. On the other hand, I can (theoretically) imagine writing all controller methods with conditional logic to discriminate between HTTP VERBS , but for most controller methods this just doesn't make sense.

So help me out: What's the advantage of working with these actions which Sails seems to try to nudge me towards? Or is it just a way to get going quickly, but really not meant for production?

Thanks for wrapping my head around this.


回答1:


Action Blueprints automatically create routes to all the available controller methods. I personally turn them off, and do my routing manually.

Restful blueprints automatically generate the controller methods themselves. Which would then have routes to them created by the Action Blueprints. I believe these are the rest defaults....

 * GET      /boat/:id?      -> BoatController.find
 * POST     /boat           -> BoatController.create
 * PUT      /boat/:id       -> BoatController.update
 * DELETE   /boat/:id       -> BoatController.destroy


来源:https://stackoverflow.com/questions/23156944/sails-disable-blueprints-actions-in-production-since-it-creates-a-huge-secur

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!