1

I was watching an authentication tutorial by Web Dev Simplified here. While handling logout requests, the tutorial suggested that we override POST request to DELETE, but did not specify clearly why is it done so. What the tutorial showed was:

const methodOverride = require('method-override');
app.use(methodOverride('_method'));
app.delete('/logout', (req, res) => {
    req.logOut(), res.redirect('/login');
});

It also had to modify the logout form to override the POST request like this:

<form action="/logout?_method=DELETE" method="POST">

Instead of using all those middlewares and overriding, I could have simply done -

app.post('/logout', (req, res) => {
    req.logOut(), res.redirect('/login');
});

And it works without any noticeable problems to my untrained eye. I would like to know if there are any security issues/coding conventions that suggests to override POST to DELETE for logging out.

stackneverflow
  • 123
  • 8
  • Does this answer your question? [What method should I use for a login (authentication) request?](https://stackoverflow.com/questions/5868786/what-method-should-i-use-for-a-login-authentication-request) – 0x1C1B Feb 03 '22 at 14:24

1 Answers1

0

The HTTP verbs are conventions which enhance the semantics of the requests. In other words, your framework doesn't care that much whether you are using POST or DELETE. You do because it is more readable.

The <form> tag only allows you to send GET or POST requests, so to me it makes sense rewiring POST to PUT or DELETE in applicable contexts. Nonetheless, if you are using a modern HTTP client (such as axios, postman, etc), you can easily POST PUT, PATCH, DELETE and so on.

To be honest, I've always seem /login and logout as POST requests. I wouldn't suggest DELETE /login because it just sounds less intuitive than POST /logout.

I'd like to ponder over whether you have a public API or not. If you are not writing a public API you don't really have an obligation to get too attached to all conventions. Just POST and GET will get the job done.

Your piece of code seems just fine to me. I wouldn't change it as long as it works and fits your use case.

app.post('/logout', (req, res) => { req.logOut(), res.redirect('/login'); });

Talking about security... HTTP communication are not secure by design. You should rely as little as possible on user imput, get your website encrypted over HTTPS and etc.

José Henrique
  • 196
  • 11