UNSOLVED Best way to add a json body-parser that comes before the root json body-parser in webserver.js


  • @julian said in Best Way to Add a bodyParser verify function:

    static:app.load

    Hey @julian

    I am sorry if I am not clear but the problem is the order of execution of the body-parser middleware. The webserver.js body-parser comes before any body-parser I can attach. Does that make sense? I even I attach a new mount to router using the static:app.load hook I cannot change the order of execution. Nodebb will always process incoming json through the webserver.js first and last.

    The only solution I personally see if to introduce a new hook that comes before the
    static:app.preload hook. Currently setupExpressApp() which is where the json body-parser is being called comes before initializeNodeBB() which is where static:app.preload is fired up.

    Maybe I am missing something else though.

  • Global Moderator Plugin & Theme Dev

    Why do you need to introduce a different body parser? What does a verify function do? What do you need that isn't covered by the default body parser?

  • GNU/Linux Admin

    @Avan-Sardar said in Best Way to Add a bodyParser verify function:

    Nodebb will always the process incoming json through the webserver.js first and last.

    Correct, but here's where @PitaJ and I recommend that you don't need to replace the built-in body parser.

    All you need to do to consume the stripe webhook data is a route handler mounted to the endpoint you wish stripe to send data to.


  • Thanks for responding @julian @PitaJ

    Stripe requires the incoming data to be parsed to raw data.

    Here is a snippet of their recommended method of handling incoming hook event data:

    // ...
    // Match the raw body to content type application/json
    app.post('/webhook', bodyParser.raw({type: 'application/json'}), (request, response) => {
      const sig = request.headers['stripe-signature'];
    
      let event;
    
      try {
        event = stripe.webhooks.constructEvent(request.body, sig, endpointSecret);
      }
      catch (err) {
        response.status(400).send(`Webhook Error: ${err.message}`);
      }
    // ...
    

    It looks like the stripe event construction requires the incoming data to passed as raw data.

    Here is the link to the documentation page: https://stripe.com/docs/webhooks/signatures

    Like I said before I might be missing something. I am aware there was/is a stripe plugin already so I assume there is a way to handle this situation without the introduction of a new hook.

  • GNU/Linux Admin

    We already parse the request body into JSON, so that should actually be fine. In your code you're using req.headers and req.body, both of which are available already, so there's no need to use your own body parser... 🤔


  • @julian

    I definitely feel like I am missing something. In the code snippet I provided it uses the bodyParser.raw({type: 'application/json'} middleware. According to the official body-parser documentation:

    "bodyParser.raw([options])
    Returns middleware that parses all bodies as a Buffer and only looks at requests where the Content-Type header matches the type option. This parser supports automatic inflation of gzip and deflate encodings.

    A new body object containing the parsed data is populated on the request object after the middleware (i.e. req.body). This will be a Buffer object of the body."

    I don't need the data to be json but in raw(buffer) format. The incoming data is in json format but I need to parse it.

  • Global Moderator Plugin & Theme Dev

    @Avan-Sardar have you tried it without anything special, just excluding the bodyparser.raw middleware? It could be that that stripe API function will accept a json object too.

    But if not, you're right, we should allow a way to hook in before the bodyparser is installed.


  • @PitaJ said in Best way to add a json body-parser that comes before the root json body-parser in webserver.js:

    middleware

    @PitaJ

    Yes I have tried that along with a few other things. No luck. Stripe wants it in raw format. The stackoverflow answer I shared has a solution where it changes the order of execution of the middleware. It was little too advanced for my taste. I am still hoping to attach my middleware a little more early on.

  • GNU/Linux Admin

    What happens when you don't include the call to bodyparser?


  • @julian

    The problem remains. Incoming data will will stay in json format. There is an alternative way of handling the stripe hook event that doesn't involve parsing it raw format but my understanding is that it is less secure way of handling the event. I will continue to look for a solution but it seems more and more like the only good solution is to introduce a new hook or move the current hook up.

  • GNU/Linux Admin

    @Avan-Sardar we're investigating... You're wanting this to do the signature verification, right?


  • @julian

    You got it.

Suggested Topics

| |