aurelia routing parameter validation

0
votes

I am trying to figure how best to handle two types of bad routes.

  • One is a type check. Since i know my ID should be a numeric value
  • Two is when they have put in a bad order number

For the type check is the best way to handle this to simply put in a check in javascript in the activate method on the order module and redirect to a not found module if it fails? OR is there some aurelia trick to on this to force it to be a unknown route or something...

Similarly on the bad order number if I do a fetch on the order and it returns no results do I just redirect as well?

Basically just wondering if that's best practice or is there a better way to handle this?

configureRouter(config: RouterConfiguration, router: Router) {
    config.title = 'My Aurelia APP';
    config.map([
        { route: ['', "orders"], name: 'orders', moduleId: 'orders', nav: true, title: 'List Of Cool Stuff' },
        { route: ':id', moduleId: 'order', name: 'Order Info' }]);
    this.router = router;

    config.mapUnknownRoutes('not-found');
}
2
aurelia
How about instead of redirecting, if you identify that the order is not available, show an instance of aurelia-dialog, saying that the order not found. After clicking OK, just reject the promise and aurelia will redirect the user to the previous route. - jmvtrinidad
I think, as you've already alluded to, this should be managed in your order ViewModel - rather than querying an order number in the router, which isn't what it's designed for. - Tom

2 Answers

1
votes

The check for the order number should be done as part of the view model code. I assume you won't know if the order number is valid until it hits the server anyway. so like you say, in the order view model activate:

activate(params) {
    let orderId = params.id;
    return this.serverClient.get("api/orders", orderId).then(data => 
        {
           //do order module code
        }).fail(error => 
        {
            this.router.navigate('unknown-error-route');
        })
    );
}

My guess also is that if the order belongs to another user on the site you don't want that user accessing their information. So I would throw a security exception or whatever on the server side and then in the client always redirect to the unknown error route or something so a malicious person doesn't know if it failed because the order exists and belongs to someone else or that the order doesn't exist at all. Or you can navigate back or something.

0
votes

I would validate the order number is numeric before requesting it. This will save a round trip and can be displayed on the UI that it is invalid. You could also check the range to make sure it is a valid range.

The validation could be on input and before sending the API request.