Inconsistent "400 bad request" response, for GET request with a body

[marcopeg]

Hello, I came across a weird behavior when it comes to GET requests:

Here is a GET request performed through the fetch API.
It is wrong because GET should NOT have a body.

await fetch('http://localhost:8080', {
  body: JSON.stringify({})
})

Nevertheless, if my Express handler looks like the following code, it works just fine:

app.get('/', (req, res) => res.send('ok'))

It looks like Express simply ignores the body part of the request.

BUT if I add a middleware that awaits for a Promise, then Express will fail my request with a 400 - Bad Request answer:

app.get('/', [
  (req, res, next) => {
    const foo = new Promise(r => r())
    foo.then(next)
  }
], (req, res) => res.send('ok'))

This piece of code will cause Express to "validate" the request payload and drop the request due to the existing (and correctly unexpected) body.

---

Now, wouldn't it be better if the behavior of either failing the request or ignoring the body was consistent with or without promises in the handling chain?

Thanks guys!
Awesome work :-)

[dougwilson]

Interesting, we will investigate. There isn't really anything in Express that would 400 from something like that, and awaiting a promise should not change behavior.

Is there any stack trace printing to your console when this happens? If not, it is likely Node.js HTTP module itself that is sending the 400.

[marcopeg]

There is no trace, it is not a crash or anything. It's just the request being denied. But only when a Promise is being awaited by the middleware. It is weird indeed :-) Of course, I believe I was mistaken in sending an empty body along with a GET request. I fixed that in my app and now everything works fine. Still, it would be best if we could somehow unify the behavior with/without promises. Best of luck, Marco

…

On Mon, Aug 12, 2019 at 3:19 PM Douglas Wilson ***@***.***> wrote: Interesting, we will investigate. There isn't really anything in Express that would 400 from something like that, and awaiting a promise should not change behavior. Is there any stack trace printing to your console when this happens? If not, it is like Node.js HTTP module itself throwing the 400. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4026?email_source=notifications&email_token=AADIMMPGLP5NVKGC4HGI4STQEFPM7A5CNFSM4IK7FE42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4CP35I#issuecomment-520420853>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADIMMMKT7G7BBFQ3ZMFMALQEFPM7ANCNFSM4IK7FE4Q> .

-- Best regards, Marco Pegoraro *m.* marco.pegoraro@gmail.com *C.* +46 73 545 1223

---------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

[dougwilson]

Unfortunately I tried to create an app based on your description and could not reproduce the 400. Can you provide a reproduction case?

[marcopeg]

I will put together a repo that reproduces it!

…

On Mon, Aug 12, 2019 at 4:15 PM Douglas Wilson ***@***.***> wrote: Unfortunately I tried to create an app based on your description and could not reproduce the 400. Can you provide a reproduction case? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4026?email_source=notifications&email_token=AADIMMMYEBHFUDCAL3IJJEDQEFV65A5CNFSM4IK7FE42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4CVC6Q#issuecomment-520442234>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADIMMO5DJK73ZPKQQWVCZ3QEFV65ANCNFSM4IK7FE4Q> .

-- Best regards, Marco Pegoraro *m.* marco.pegoraro@gmail.com *C.* +46 73 545 1223

---------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

[marcopeg]

Here you go:
https://github.com/marcopeg/express-weird-behavior

This will reproduce the problem using Docker, so it should be quite safe to reproduce it.

Marco

[dougwilson]

Thank you, that helps a lot! I was able to reproduce it with your example, and it looks like the reason I couldn't reproduce the issue is because it seems specific to the client you are using. Using cURL as a client, for example, shows the 200 OK coming back from the body test where your client gets a 400 Bad Request:

$ curl -v http://127.0.0.1:5555/d -H'content-type: application/json' -d'{}' -XGET
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 5555 (#0)
> GET /d HTTP/1.1
> Host: 127.0.0.1:5555
> User-Agent: curl/7.54.0
> Accept: */*
> content-type: application/json
> Content-Length: 2
> 
* upload completely sent off: 2 out of 2 bytes
< HTTP/1.1 200 OK
< X-Powered-By: Express
< Content-Type: text/html; charset=utf-8
< Content-Length: 4
< ETag: W/"4-cM5NkoAgYFvRntn1zvlbeUF4oB8"
< Date: Tue, 13 Aug 2019 13:47:19 GMT
< Connection: keep-alive
< 
* Connection #0 to host 127.0.0.1 left intact
ok/d

The Bad Request is coming from Node.js itself, though, so before Express.js can even see the request. Changing the server to just pure Node.js reproduces the issue without Express, at which case you can file an issue with Node.js or your client library, which ever you think is more appropriate (probably your client library, since cURL has no issue making the same requests that you get a 400 for):

const http = require('http')

const sleepTimeout = duration => (next) => setTimeout(next, duration)
const sleepPromise = duration => (next) => (new Promise(r => setTimeout(r, duration))).then(next)
const sleepSync = duration => (next) => {
    for (let i = 0; i < duration; i++) console.log({ i })
    next()
}

const app = (req, res) => {
    switch (req.url) {
        case '/a':
            res.end('ok/a')
            break
        case '/b':
            sleepSync(9999)(() => res.end('ok/b'))
            break
        case '/c':
            sleepTimeout(500)(() => res.end('ok/c'))
            break
        case '/d':
            sleepPromise(500)(() => res.end('ok/d'))
            break
    }
}

http.createServer(app).listen(8080, () => console.log('App1 is running...'))

[marcopeg]

Thank you for taking a look at it, and for the clarification. Marco

…

On Tue, Aug 13, 2019 at 4:02 PM Douglas Wilson ***@***.***> wrote: Thank you, that helps a lot! I was able to reproduce it with your example, and it looks like the reason I couldn't reproduce the issue is because it seems specific to the *client* you are using. Using cURL as a client, for example, shows the 200 OK coming back from the body test where your client gets a 400 Bad Request: $ curl -v http://127.0.0.1:5555/d -H'content-type: application/json' -d'{}' -XGET * Trying 127.0.0.1... * TCP_NODELAY set * Connected to 127.0.0.1 (127.0.0.1) port 5555 (#0) > GET /d HTTP/1.1 > Host: 127.0.0.1:5555 > User-Agent: curl/7.54.0 > Accept: */* > content-type: application/json > Content-Length: 2 > * upload completely sent off: 2 out of 2 bytes < HTTP/1.1 200 OK < X-Powered-By: Express < Content-Type: text/html; charset=utf-8 < Content-Length: 4 < ETag: W/"4-cM5NkoAgYFvRntn1zvlbeUF4oB8" < Date: Tue, 13 Aug 2019 13:47:19 GMT < Connection: keep-alive < * Connection #0 to host 127.0.0.1 left intact ok/d The Bad Request is coming from Node.js itself, though, so before Express.js can even see the request. Changing the server to just pure Node.js reproduces the issue without Express, at which case you can file an issue with Node.js or your client library, which ever you think is more appropriate: const http = require('http') const sleepTimeout = duration => (next) => setTimeout(next, duration)const sleepPromise = duration => (next) => (new Promise(r => setTimeout(r, duration))).then(next)const sleepSync = duration => (next) => { for (let i = 0; i < duration; i++) console.log({ i }) next() } const app = (req, res) => { switch (req.url) { case '/a': res.end('ok/a') break case '/b': sleepSync(9999)(() => res.end('ok/b')) break case '/c': sleepTimeout(500)(() => res.end('ok/c')) break case '/d': sleepPromise(500)(() => res.end('ok/d')) break } } http.createServer(app).listen(8080, () => console.log('App1 is running...')) — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#4026?email_source=notifications&email_token=AADIMMMWO75K3KOE7RMF7NLQEK5I3A5CNFSM4IK7FE42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD4FYABI#issuecomment-520847365>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AADIMMLZ4EZHYFEAL2RZXF3QEK5I3ANCNFSM4IK7FE4Q> .

-- Best regards, Marco Pegoraro *m.* marco.pegoraro@gmail.com *C.* +46 73 545 1223

---------------------------------------------- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.

[raijinsetsu]

@marcopeg
I bumped into this same issue and then looked at the NodeJS issue tracker. It does not look like you opened an issue over there, nor did Doug. Did you find a work-around for this issue or did someone else submit the issue? I searched through the NodeJS issues but could not find any that seemed to match.

[dougwilson]

Hi @raijinsetsu I did not make an issue with Node.js, as noted above, I believe it was the client library at use that was the issue and not Node.js. I left filing up to OP since they would have the most background and eagerness to work to get it fixed upstream with the client library.

[raijinsetsu]

I missed that detail. I thought you were saying it was the NodeJS server. We happen to be using the NodeJS native Http client which means that, it you're correct, it's still an issue in NodeJS. I'll followup with some testing and open an issue.

…

On Tue, Feb 4, 2020, 10:03 Douglas Wilson ***@***.***> wrote: Hi @raijinsetsu <https://github.com/raijinsetsu> I did not make an issue with Node.js, as noted above, I believe it was the client library at use that was the issue and not Node.js. I left filing up to OP since they would have the most background and eagerness to work to get it fixed upstream with the client library. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#4026?email_source=notifications&email_token=ABT6LNQ7MK5YOYVZKIBARJDRBF7STA5CNFSM4IK7FE42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKX6BIQ#issuecomment-581951650>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABT6LNQV3RT37ZTSHEH4HJDRBF7STANCNFSM4IK7FE4Q> .

[TBG-FR]

I missed that detail. I thought you were saying it was the NodeJS server. We happen to be using the NodeJS native Http client which means that, it you're correct, it's still an issue in NodeJS. I'll followup with some testing and open an issue.
…
On Tue, Feb 4, 2020, 10:03 Douglas Wilson @.***> wrote: Hi @raijinsetsu https://github.com/raijinsetsu I did not make an issue with Node.js, as noted above, I believe it was the client library at use that was the issue and not Node.js. I left filing up to OP since they would have the most background and eagerness to work to get it fixed upstream with the client library. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#4026?email_source=notifications&email_token=ABT6LNQ7MK5YOYVZKIBARJDRBF7STA5CNFSM4IK7FE42YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKX6BIQ#issuecomment-581951650>, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABT6LNQV3RT37ZTSHEH4HJDRBF7STANCNFSM4IK7FE4Q .

Did you open an issue about this ? I'm facing the same behaviour, using native NodeJS too