I was recently reading this blog post about the dangers of using the bodyParser middleware in the Express server. This warning is actually echoed in the Express guide. The problem basically boils down to the fact that bodyParser creates a temp file on your server for every request leaving you wide open to a DDOS attack. Get the details from the article though.
I was interested to see that the getting started guide for Passportjs actually uses suggests the use of the bodyParser middleware. This is quite possibly the de-facto authentication solution for Node.js app which means there might be a lot of vulnerable apps out there.
Luckily for me the solution was easy. I’m using the local authentication strategy and was able to replace my call to app.use(express.bodyParser()); with app.use(express.urlencoded());