node.jsjsonexpresshcaptcha

JSON key value being sent with enclosing single quotes from web form to express and bodyParser


I am sending a username, password and the h-captcha-response token to express via a login form. The username and password are being sent fine from the form, without single quotes, the h-captcha-response ( which is formulated by hcaptcha and sent back to the web form and is sent also) is being sent with enclosing single quotes and the hcaptcha middleware ( express-hcaptcha ) sees no token. Response from the middleware is ....

Error: bad request - no token provided in body

I am using https://github.com/vastus/express-hcaptcha

When I dump the req I am seeing that the h-captcha-response is enclosed in single quotes. I believe this may have to do with the form input that is being sent to express is not being set to application/json but that’s a guess since I am new to node/express.

The applicable part of the req dump is below and followed by the node/express info. Can someone point me in the correct direction ? Many thanks JW

req dump ( via console.log )

————-
<snip>
….
….
body:
   { username: ‘xxxx’,
     password: ‘xxxx’,
     'h-captcha-response': ‘xxxxxxxxxxxxxx’ },
  _body: true,
  length: undefined,
….
….
<snip>

Appropriate parts of the js file —————

const http = require('http');
const mysql = require('mysql');
const express = require('express');
const session = require('express-session');
const cors = require('cors');
const hcaptcha = require('express-hcaptcha');

//hcaptcha secret key
const SECRET = “xxxxxx”; 

var bodyParser = require('body-parser');

var connection = mysql.createConnection({
…..<snip>
});

const path = require('path');
const app = express();

app.use(cors());
app.use(bodyParser.json());
app.set("view engine","hbs");

app.use(bodyParser.urlencoded({extended : true}));


//create app server
var server = app.listen(3000,  "0.0.0.0", function () {
  var host = server.address().address
  var port = server.address().port
});

app.post('/verify', hcaptcha.middleware.validate(SECRET), (req, res) => {
  res.json({message: 'verified!', hcaptcha: req.hcaptcha});
});


Solution

  • The key 'h-captcha-response' is enclosed in quotes because that's the only way you can create an object key containing special characters (- in this case) in javascript:

    const bad = { a-b: '' }
                // ^ Parsing error: unexpected token, expected ","
    
    const good = { 'a-b': '' } // no error
    

    And while node is not creating an object here but just logging it into the console it still respects common js syntax.

    As for the error: Error: bad request - no token provided in body. It's happening because express-hcaptcha middleware expects the field named token. If the field as absent or evaluated to the falsy value you're getting the error you can observe now.

    If you're sending data as application/x-www-form-urlencoded then to fix the issue you have to change the name attribute of the captcha field in your html form from h-captcha-response to token.

    If you're sending data as json then do the same renaming to the key of the sending json object.