DEV Community: Alan Norman The latest articles on DEV Community by Alan Norman (@__alannorman). https://dev.to/__alannorman https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F2022673%2Fd1e36bed-bcc3-48cc-8ccb-4077fe92ef0f.png DEV Community: Alan Norman https://dev.to/__alannorman en How to Lock Down Your Web App: Security Tips for Authentication – Alan Norman, Part 2 Alan Norman Wed, 18 Sep 2024 13:18:20 +0000 https://dev.to/__alannorman/how-to-lock-down-your-web-app-security-tips-for-authentication-alan-norman-part-2-2noi https://dev.to/__alannorman/how-to-lock-down-your-web-app-security-tips-for-authentication-alan-norman-part-2-2noi <p>Alright, let’s quickly recap what we covered in Part 1: User-Agent Validation, CORS, Rate Limiting, and CSP. Now, we’re diving a bit deeper into user authentication.</p> <h2> 1. Kicking Off with CAPTCHA </h2> <p>Let’s start with something simple yet effective — CAPTCHA. Companies use different solutions like Google reCAPTCHA v2, v3, Cloudflare, or even roll their own.</p> <p>We’ll focus on Google reCAPTCHA v3. So, what’s it all about? Unlike its older versions, reCAPTCHA v3 doesn’t throw annoying puzzles at users. Instead, it works in the background, scoring each visitor based on their behavior to figure out if they’re legit or a bot.</p> <p><strong>Implementing reCAPTCHA v3</strong></p> <p><strong>Frontend</strong>: Pick your poison — whatever library fits your stack. Since I’m a React fan, I roll with @react-google-recaptcha. First, grab your Site Key and Secret Key by setting up reCAPTCHA here.</p> <p>I won’t bog you down with frontend details, as there are tons of ways to implement it.</p> <p><strong>Backend</strong>: Here’s where things get straightforward:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="dl">'</span><span class="s1">/api/form</span><span class="dl">'</span><span class="p">,</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">token</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">response</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">axios</span><span class="p">.</span><span class="nf">post</span><span class="p">(</span><span class="s2">`https://www.google.com/recaptcha/api/siteverify?secret=</span><span class="p">${</span><span class="nx">RECAPTCHA_SECRET_KEY</span><span class="p">}</span><span class="s2">&amp;response=</span><span class="p">${</span><span class="nx">token</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">success</span><span class="p">,</span> <span class="nx">score</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">response</span><span class="p">.</span><span class="nx">data</span><span class="p">;</span> <span class="k">if </span><span class="p">(</span><span class="nx">success</span> <span class="o">&amp;&amp;</span> <span class="nx">score</span> <span class="o">&gt;</span> <span class="mf">0.5</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Token is valid, and score is good </span> <span class="nx">res</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Success</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="k">else</span> <span class="p">{</span> <span class="c1">// Token is invalid or score is too low </span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">400</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Failed reCAPTCHA</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span> <span class="p">{</span> <span class="nx">console</span><span class="p">.</span><span class="nf">error</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">500</span><span class="p">).</span><span class="nf">json</span><span class="p">({</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Server error</span><span class="dl">'</span> <span class="p">});</span> <span class="p">}</span> <span class="p">});</span> </code></pre> </div> <p><strong>Pro Tip</strong>: Be mindful of the response message. Don’t spill the beans on why the request failed — keep those error details vague to avoid giving attackers any clues.</p> <h2> 2. Brute Force </h2> <p>Your system should recognize and prevent numerous failed login attempts from a single user. If someone is making repeated unsuccessful attempts, they’re likely trying to brute-force their way in.</p> <p>Here’s how you can handle it:</p> <p>Install and Configure Redis: Use Redis (a fast in-memory store) to track failed login attempts.<br> Implement Login Attempt Tracking:</p> <p>Example of Controller:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">Login</span> <span class="o">=</span> <span class="k">async </span><span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="nx">email</span><span class="p">,</span> <span class="nx">password</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nx">body</span><span class="p">;</span> <span class="k">try</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">token</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">LoginModule</span><span class="p">.</span><span class="nf">login</span><span class="p">(</span><span class="nx">email</span><span class="p">,</span> <span class="nx">password</span><span class="p">);</span> <span class="c1">// Try to log in</span> <span class="c1">// Your logic here</span> <span class="p">}</span> <span class="k">catch </span><span class="p">(</span><span class="nx">e</span><span class="p">)</span> <span class="p">{</span> <span class="c1">// Handle login error</span> <span class="nx">RedisService</span><span class="p">.</span><span class="nf">setUserAttempts</span><span class="p">(</span><span class="s2">`attempts_</span><span class="p">${</span><span class="nx">email</span><span class="p">}</span><span class="s2">`</span><span class="p">,</span> <span class="cm">/* increment and set TTL */</span><span class="p">);</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <p>Imagine you’ve got a LoginModule with a login method that does its thing and gives you a token if the login’s a success.</p> <p>Meanwhile, RedisService has a setUserAttempts method that checks how many times a user’s tried logging in and adds one to the count.</p> <p><strong>Example of Middleware</strong>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">USER_ATTEMPTS</span> <span class="o">=</span> <span class="mi">3</span><span class="p">;</span> <span class="c1">// Store this in env variables or system configuration</span> <span class="kd">const</span> <span class="nx">UserLoginAttempts</span> <span class="o">=</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="p">{</span> <span class="na">body</span><span class="p">:</span> <span class="p">{</span> <span class="nx">email</span> <span class="p">}</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">;</span> <span class="kd">const</span> <span class="nx">userAttempts</span> <span class="o">=</span> <span class="nx">RedisService</span><span class="p">.</span><span class="nf">getUserAttempts</span><span class="p">(</span><span class="s2">`attempts_</span><span class="p">${</span><span class="nx">email</span><span class="p">}</span><span class="s2">`</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">userAttempts</span> <span class="o">&gt;=</span> <span class="nx">USER_ATTEMPTS</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Too many attempts. Try again in 2 minutes.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">}</span> </code></pre> </div> <p><strong>Pro Tip</strong>: Make sure your Redis setup is fast and reliable. This is essential for managing login attempts effectively. Storing your login attempt configurations in Redis helps avoid additional database requests, which can slow down response times.</p> <p>Alright, that’s a wrap for this step. Adding CAPTCHA and blocking brute force attacks will seriously beef up your app’s security.</p> <p>Catch you in the next chapter where we’ll dive into Tokens and Cookies!</p> Security Tips, API Edition: How to Lock Down Your Web App — Part 1 by Alan Norman. Alan Norman Sat, 07 Sep 2024 13:29:13 +0000 https://dev.to/__alannorman/security-tips-api-edition-how-to-lock-down-your-web-app-part-1-by-alan-norman-4ooh https://dev.to/__alannorman/security-tips-api-edition-how-to-lock-down-your-web-app-part-1-by-alan-norman-4ooh <p>Hey folks, Alan Norman here! I’m all about that security life at JFrog, and today I’m dropping some tips on web app security. We’ll focus on the basics to get you started and keep your app tight.</p> <p>I’m using Node.js (Express) for the examples, so let's dive in!</p> <p>1) <strong>User-Agent Validation</strong><br><br> First up, spot shady requests by adding User-Agent validation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">allowedUserAgents</span> <span class="o">=</span> <span class="p">[</span><span class="dl">'</span><span class="s1">Mozilla/5.0</span><span class="dl">'</span><span class="p">];</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">userAgent</span> <span class="o">=</span> <span class="nx">req</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">'</span><span class="s1">User-Agent</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isAllowed</span> <span class="o">=</span> <span class="nx">allowedUserAgents</span><span class="p">.</span><span class="nf">some</span><span class="p">(</span><span class="nx">allowedAgent</span> <span class="o">=&gt;</span> <span class="nx">userAgent</span><span class="p">.</span><span class="nf">includes</span><span class="p">(</span><span class="nx">allowedAgent</span><span class="p">));</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">isAllowed</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">res</span><span class="p">.</span><span class="nf">status</span><span class="p">(</span><span class="mi">403</span><span class="p">).</span><span class="nf">send</span><span class="p">(</span><span class="dl">'</span><span class="s1">Forbidden: Your device was blocked permanently for making requests.</span><span class="dl">'</span><span class="p">);</span> <span class="p">}</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> </code></pre> </div> <p><strong>Pro Tip</strong>: Don’t give away too much in your error messages—keep hackers guessing. A simple "Forbidden" keeps them in the dark.</p> <p>2) <strong>CORS</strong><br><br> Next, we’ve got CORS. It’s good for stopping unwanted cross-origin requests, but don’t expect miracles.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">corsOptions</span> <span class="o">=</span> <span class="p">{</span> <span class="na">origin</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">https://your.app</span><span class="dl">'</span><span class="p">],</span> <span class="na">methods</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">GET</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">POST</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">PUT</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">DELETE</span><span class="dl">'</span><span class="p">],</span> <span class="na">allowedHeaders</span><span class="p">:</span> <span class="p">[</span><span class="dl">'</span><span class="s1">Content-Type</span><span class="dl">'</span><span class="p">,</span> <span class="dl">'</span><span class="s1">Authorization</span><span class="dl">'</span><span class="p">],</span> <span class="na">credentials</span><span class="p">:</span> <span class="kc">true</span><span class="p">,</span> <span class="p">};</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nf">cors</span><span class="p">(</span><span class="nx">corsOptions</span><span class="p">));</span> </code></pre> </div> <p><strong>Pro Tip</strong>: Never use '*' in production! It’s way too risky, and anyone with Postman can break through.</p> <p>3) <strong>Rate Limiting</strong><br><br> Let’s slap some limits on requests to block out those pesky bots.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">rateLimit</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">express-rate-limit</span><span class="dl">'</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">limiter</span> <span class="o">=</span> <span class="nf">rateLimit</span><span class="p">({</span> <span class="na">windowMs</span><span class="p">:</span> <span class="mi">10</span> <span class="o">*</span> <span class="mi">60</span> <span class="o">*</span> <span class="mi">1000</span><span class="p">,</span> <span class="na">max</span><span class="p">:</span> <span class="mi">100</span><span class="p">,</span> <span class="na">message</span><span class="p">:</span> <span class="dl">'</span><span class="s1">Too many requests from this IP, please try again later.</span><span class="dl">'</span><span class="p">,</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">limiter</span><span class="p">);</span> </code></pre> </div> <p><strong>Pro Tip</strong>: Customize the rate limit based on your app’s traffic. Watch that error message though—don’t give the hackers a clue!</p> <p>4) <strong>CSP</strong><br><br> Why CSP? It’s your line of defense against XSS attacks. Decide what gets loaded and block the rest.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">helmet</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">helmet</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="nx">helmet</span><span class="p">.</span><span class="nf">contentSecurityPolicy</span><span class="p">({</span> <span class="na">directives</span><span class="p">:</span> <span class="p">{</span> <span class="na">defaultSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="na">scriptSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="na">styleSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="na">imgSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p>Need third-party stuff? No problem:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="nx">helmet</span><span class="p">.</span><span class="nf">contentSecurityPolicy</span><span class="p">({</span> <span class="na">directives</span><span class="p">:</span> <span class="p">{</span> <span class="na">defaultSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="na">scriptSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">https://cdnjs.cloudflare.com</span><span class="dl">"</span><span class="p">],</span> <span class="na">styleSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">https://fonts.googleapis.com</span><span class="dl">"</span><span class="p">],</span> <span class="na">imgSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">,</span> <span class="dl">"</span><span class="s2">https://images.example.com</span><span class="dl">"</span><span class="p">],</span> <span class="p">},</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p><strong>Wanna use inline scripts?</strong> Secure them with a nonce:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="nx">crypto</span> <span class="o">=</span> <span class="nf">require</span><span class="p">(</span><span class="dl">'</span><span class="s1">crypto</span><span class="dl">'</span><span class="p">);</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">((</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">,</span> <span class="nx">next</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">nonce</span> <span class="o">=</span> <span class="nx">crypto</span><span class="p">.</span><span class="nf">randomBytes</span><span class="p">(</span><span class="mi">16</span><span class="p">).</span><span class="nf">toString</span><span class="p">(</span><span class="dl">'</span><span class="s1">hex</span><span class="dl">'</span><span class="p">);</span> <span class="nf">next</span><span class="p">();</span> <span class="p">});</span> <span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span> <span class="nx">helmet</span><span class="p">.</span><span class="nf">contentSecurityPolicy</span><span class="p">({</span> <span class="na">directives</span><span class="p">:</span> <span class="p">{</span> <span class="na">defaultSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">],</span> <span class="na">scriptSrc</span><span class="p">:</span> <span class="p">[</span><span class="dl">"</span><span class="s2">'self'</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">res</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="s2">`'nonce-</span><span class="p">${</span><span class="nx">res</span><span class="p">.</span><span class="nx">locals</span><span class="p">.</span><span class="nx">nonce</span><span class="p">}</span><span class="s2">'`</span><span class="p">],</span> <span class="p">},</span> <span class="p">})</span> <span class="p">);</span> </code></pre> </div> <p>On the frontend, use that nonce:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight html"><code><span class="nt">&lt;script </span><span class="na">nonce=</span><span class="s">"${nonce}"</span> <span class="na">src=</span><span class="s">"/path/to/your/bundle.js"</span><span class="nt">&gt;&lt;/script&gt;</span> </code></pre> </div> <p>Last bit—<strong>lock down those API keys</strong>. Make sure they’re restricted by IP. Don’t let them roam free, or you’ll be swimming in security issues.</p> <p>That’s it for Part 1! You’ve just leveled up your API security game. Next, we’ll talk Brute Force attacks and Captcha. Stay tuned!</p> Decimal numbers with trailing zeros and handling raw body data in Node.js Alan Norman Tue, 03 Sep 2024 18:31:33 +0000 https://dev.to/__alannorman/decimal-numbers-with-trailing-zeros-and-handling-raw-body-data-in-nodejs-2ajn https://dev.to/__alannorman/decimal-numbers-with-trailing-zeros-and-handling-raw-body-data-in-nodejs-2ajn <p><strong>By Alan Norman</strong></p> <p>So, a few years back, I ran into this annoying issue with decimal numbers that had trailing zeros in Node.js. It was one of those sneaky problems that ate up almost an entire day, and I'm sharing my story in the hopes that it saves you some headache if you ever stumble upon the same tiny but frustrating problem.</p> <h2> <strong>The Problem: Decimal Numbers with .00 Losing Their Trailing Zeros</strong> </h2> <p>During one of my projects, where I was rolling as the Solution Lead, our team was working on a service that hooked up with a bunch of financial platforms. These platforms kept hitting us with JSON payloads via POST requests, and our Node.js app, running on the Express framework, was on duty to handle them. We used <code>app.use(express.json())</code> to parse the incoming JSON data.</p> <p>Everything was smooth sailing until one of our partners started sending JSON with an “amount” key that had those pesky trailing zeros, like “amount”: “10.00”. The problem? JavaScript doesn’t give a hoot about the difference between 10.00 and 10 when converting strings to numbers. This caused a big mess because we needed to generate a digital signature from the raw request body. If the signature was made from “amount”: “10” instead of “amount”: “10.00”, boom—mismatch city.</p> <h2> <strong>The Challenge: Keeping the Original JSON Format Intact</strong> </h2> <p>Now, <code>app.use(express.json())</code> was doing its job too well, automatically parsing the JSON and stripping away those precious zeros, leaving us with no way to grab the raw JSON string. We couldn’t just rip out <code>app.use(express.json())</code> because that would mean rewriting a ton of code and breaking all the SOLID principles we were holding dear.</p> <p>Our quick and dirty fix? We started tweaking the amounts by adding small values, turning 10.00 into 10.01. It gave us some breathing room to figure things out, but come on, this was never gonna fly long-term—especially in a financial setup where accuracy is everything.</p> <h2> <strong>The Fix: Using the verify Option in express.json()</strong> </h2> <p>After digging around a bit, I found out the fix was way simpler than I expected. Turns out, Express has this neat <code>verify</code> option in the <code>express.json()</code> method that lets you grab the raw request body before it gets all parsed into JSON.</p> <p>Here’s how you can make it work:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="nx">app</span><span class="p">.</span><span class="nf">use</span><span class="p">(</span><span class="nx">express</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">verify</span><span class="p">:</span> <span class="p">(</span><span class="nx">req</span><span class="p">,</span> <span class="nx">_</span><span class="p">,</span> <span class="nx">buf</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="nx">req</span><span class="p">.</span><span class="nx">rawBody</span> <span class="o">=</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">buf</span><span class="p">).</span><span class="nf">toString</span><span class="p">()</span> <span class="p">}));</span> </code></pre> </div> <p>The <code>verify</code> function kicks in before the body is turned into JSON. This way, you can stash the raw body as a string, making sure that “amount”: “10.00” stays just the way it was. Then, you can grab both the parsed JSON and the raw string in your controllers:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight javascript"><code><span class="kd">const</span> <span class="p">{</span> <span class="nx">body</span><span class="p">,</span> <span class="nx">rawBody</span> <span class="p">}</span> <span class="o">=</span> <span class="nx">req</span><span class="p">;</span> <span class="c1">// body - JSON-parsed output</span> <span class="c1">// rawBody - Original raw string received before parsing</span> </code></pre> </div> <h2> <strong>Heads Up: Be Careful When Messing with the req Object</strong> </h2> <p>Now, I gotta say, messing with the <code>req</code> object isn’t exactly best practice, but hey, sometimes you gotta do what you gotta do to fit your architecture. The main thing to remember is that you can keep both the raw and parsed versions of the JSON body in one spot.</p> <p>Looking back, the fix was right there, but under pressure, even seasoned devs can miss the easy stuff. Hopefully, this helps anyone else facing the same kind of hassle. Remember, knowing how your tools really work under the hood can often turn complex problems into simple fixes.</p> <p>Happy coding, folks!</p>