1 | # method-override
|
2 |
|
3 | [![NPM version](https://badge.fury.io/js/method-override.svg)](http://badge.fury.io/js/method-override)
|
4 | [![Build Status](https://travis-ci.org/expressjs/method-override.svg?branch=master)](https://travis-ci.org/expressjs/method-override)
|
5 | [![Coverage Status](https://img.shields.io/coveralls/expressjs/method-override.svg?branch=master)](https://coveralls.io/r/expressjs/method-override)
|
6 |
|
7 | Lets you use HTTP verbs such as PUT or DELETE in places where the client doesn't support it.
|
8 |
|
9 | ## Install
|
10 |
|
11 | ```sh
|
12 | $ npm install method-override
|
13 | ```
|
14 |
|
15 | ## API
|
16 |
|
17 | **NOTE** It is very important that this module is used **before** any module that
|
18 | needs to know the method of the request (for example, it _must_ be used prior to
|
19 | the `csurf` module).
|
20 |
|
21 | ### methodOverride(getter, options)
|
22 |
|
23 | Create a new middleware function to override the `req.method` property with a new
|
24 | value. This value will be pulled from the provided `getter`.
|
25 |
|
26 | - `getter` - The getter to use to look up the overridden request method for the request. (default: `X-HTTP-Method-Override`)
|
27 | - `options.methods` - The allowed methods the original request must be in to check for a method override value. (default: `['POST']`)
|
28 |
|
29 | If the found method is supported by node.js core, then `req.method` will be set to
|
30 | this value, as if it has originally been that value. The previous `req.method`
|
31 | value will be stored in `req.originalMethod`.
|
32 |
|
33 | #### getter
|
34 |
|
35 | This is the method of getting the override value from the request. If a function is provided,
|
36 | the `req` is passed as the first argument, the `res as the second argument and the method is
|
37 | expected to be returned. If a string is provided, the string is used to look up the method
|
38 | with the following rules:
|
39 |
|
40 | - If the string starts with `X-`, then it is treated as the name of a header and that header
|
41 | is used for the method override. If the request contains the same header multiple times, the
|
42 | first occurrence is used.
|
43 | - All other strings are treated as a key in the URL query string.
|
44 |
|
45 | #### options.methods
|
46 |
|
47 | This allows the specification of what methods(s) the request *MUST* be in in order to check for
|
48 | the method override value. This defaults to only `POST` methods, which is the only method the
|
49 | override should arrive in. More methods may be specified here, but it may introduce security
|
50 | issues and cause weird behavior when requests travel through caches. This value is an array
|
51 | of methods in upper-case. `null` can be specified to allow all methods.
|
52 |
|
53 | ## Examples
|
54 |
|
55 | ### override using a header
|
56 |
|
57 | To use a header to override the method, specify the header name
|
58 | as a string argument to the `methodOverride` function. To then make
|
59 | the call, send a `POST` request to a URL with the overridden method
|
60 | as the value of that header. This method of using a header would
|
61 | typically be used in conjunction with `XMLHttpRequest` on implementations
|
62 | that do not support the method you are trying to use.
|
63 |
|
64 | ```js
|
65 | var connect = require('connect')
|
66 | var methodOverride = require('method-override')
|
67 |
|
68 | // override with the X-HTTP-Method-Override header in the request
|
69 | app.use(methodOverride('X-HTTP-Method-Override'))
|
70 | ```
|
71 |
|
72 | Example call with header override using `XMLHttpRequest`:
|
73 |
|
74 | ```js
|
75 | var xhr = new XMLHttpRequest()
|
76 | xhr.onload = onload
|
77 | xhr.open('post', '/resource', true)
|
78 | xhr.setRequestHeader('X-HTTP-Method-Override', 'DELETE')
|
79 | xhr.send()
|
80 |
|
81 | function onload() {
|
82 | alert('got response: ' + this.responseText)
|
83 | }
|
84 | ```
|
85 |
|
86 | ### override using a query value
|
87 |
|
88 | To use a query string value to override the method, specify the query
|
89 | string key as a string argument to the `methodOverride` function. To
|
90 | then make the call, send a `POST` request to a URL with the overridden
|
91 | method as the value of that query string key. This method of using a
|
92 | query value would typically be used in conjunction with plain HTML
|
93 | `<form>` elements when trying to support legacy browsers but still use
|
94 | newer methods.
|
95 |
|
96 | ```js
|
97 | var connect = require('connect')
|
98 | var methodOverride = require('method-override')
|
99 |
|
100 | // override with POST having ?_method=DELETE
|
101 | app.use(methodOverride('_method'))
|
102 | ```
|
103 |
|
104 | Example call with query override using HTML `<form>`:
|
105 |
|
106 | ```html
|
107 | <form method="POST" action="/resource?_method=DELETE">
|
108 | <button type="submit">Delete resource</button>
|
109 | </form>
|
110 | ```
|
111 |
|
112 | ### multiple format support
|
113 |
|
114 | ```js
|
115 | var connect = require('connect')
|
116 | var methodOverride = require('method-override')
|
117 |
|
118 | // override with different headers; last one takes precedence
|
119 | app.use(methodOverride('X-HTTP-Method')) // Microsoft
|
120 | app.use(methodOverride('X-HTTP-Method-Override')) // Google/GData
|
121 | app.use(methodOverride('X-Method-Override')) // IBM
|
122 | ```
|
123 |
|
124 | ### custom logic
|
125 |
|
126 | You can implement any kind of custom logic with a function for the `getter`. The following
|
127 | implements the logic for looking in `req.body` that was in `method-override@1`:
|
128 |
|
129 | ```js
|
130 | var bodyParser = require('body-parser')
|
131 | var connect = require('connect')
|
132 | var methodOverride = require('method-override')
|
133 |
|
134 | // NOTE: when using req.body, you must fully parse the request body
|
135 | // before you call methodOverride() in your middleware stack,
|
136 | // otherwise req.body will not be populated.
|
137 | app.use(bodyParser.urlencoded())
|
138 | app.use(methodOverride(function(req, res){
|
139 | if (req.body && typeof req.body === 'object' && '_method' in req.body) {
|
140 | // look in urlencoded POST bodies and delete it
|
141 | var method = req.body._method
|
142 | delete req.body._method
|
143 | return method
|
144 | }
|
145 | }))
|
146 | ```
|
147 |
|
148 | Example call with query override using HTML `<form>`:
|
149 |
|
150 | ```html
|
151 | <!-- enctype must be set to the type you will parse before methodOverride() -->
|
152 | <form method="POST" action="/resource" enctype="application/x-www-form-urlencoded">
|
153 | <input type="hidden" name="_method" value="DELETE">
|
154 | <button type="submit">Delete resource</button>
|
155 | </form>
|
156 | ```
|
157 |
|
158 | ## License
|
159 |
|
160 | The MIT License (MIT)
|
161 |
|
162 | Copyright (c) 2014 Jonathan Ong me@jongleberry.com
|
163 |
|
164 | Permission is hereby granted, free of charge, to any person obtaining a copy
|
165 | of this software and associated documentation files (the "Software"), to deal
|
166 | in the Software without restriction, including without limitation the rights
|
167 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
168 | copies of the Software, and to permit persons to whom the Software is
|
169 | furnished to do so, subject to the following conditions:
|
170 |
|
171 | The above copyright notice and this permission notice shall be included in
|
172 | all copies or substantial portions of the Software.
|
173 |
|
174 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
175 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
176 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
177 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
178 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
179 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
180 | THE SOFTWARE.
|