How to add strong parameters in Node.js with Mongoose example

14 January 2018 / Updated: 22 May 2022 / Programming, Node.js

Strong parameters prevent users from maliciously updating attributes in the database that have not been whitelisted. With strong parameters, you will have to make a conscious decision of which attributes are allowed to be modified. It is a good security practice to only prevent users from accidentally modifying sensitive attributes.

This tutorial will show how to implement strong parameters in Node.js with examples using Express framework and Mongoose ORM. The style and convention is borrowed from Ruby on Rails and implemented the Node.js way.

Dependencies

For this, we'll use the params library which I have found to be to the simplest implementation.

npm install --save params

Route

This is how your update route would look like without any strong parameters. At this the point, the user is allowed to modify any parameters in your database.

const express = require('express');

const router = express.Router();

/* ... */

// Update user route
router.put('/:id', (req, res) => {
    User.findById(req.params.id, (err, user) => {
        user.set(req.body);
        user.save((saveErr, updatedUser) => {
            return res.send({ data: updatedUser });
        });
    });
});

Add strong parameters

First import the params dependency that was installed.

const express = require('express');
const params = require('params'); // Add this

const router = express.Router();

/* ... */

Just below, add the list of permitted params that you want to whitelist for the users to be able to modify.

/* ... */
const router = express.Router();

const permittedParams = ['firstName', 'lastName', 'email', 'bio', 'gender'];

The lastly, update the following in your update route. It filters fields in the request body that are not whitelisted with your strong parameters.

router.put('/:id', (req, res) => {
    User.findById(req.params.id, (err, user) => {
        user.set(params(req.body).only(permittedParams));
        user.save((saveErr, updatedUser) => {
            return res.send({ data: updatedUser });
        });
    });
});

Done

There you have it. The simplest solution to implementing strong parameters in Node.js. It is a good security practice that should be implemented much more. Hopefully, it gets to see more daylight.

Wei-Ming Thor

I write guides on Software Engineering, Data Science, and Machine Learning.

Background

Full-stack engineer who builds web and mobile apps. Now, exploring Machine Learning and Data Engineering.

Writing unmaintainable code since 2010.

Skill/languages

Best: JavaScript, Python
Others: Android, iOS, C, React Native, Ruby, PHP

Work

Engineering Manager

Location

Kuala Lumpur, Malaysia

Open Source
Support

Turn coffee into coding guides. Buy me coffee

Featured posts

The simple guide to write and publish your own Node.js NPM package

14 January 2018 / Node.js

How to make your Node.js app restart automatically when you make changes during development

04 June 2022 / Node.js

Best practices and common beginner mistakes for Mongoose in Node.js

05 January 2018 / Node.js