body-parser

[![NPM Version][npm-version-image]][npm-url]
[![NPM Downloads][npm-downloads-image]][npm-url]
[![Build Status][ci-image]][ci-url]
[![Test Coverage][coveralls-image]][coveralls-url]
[![OpenSSF Scorecard Badge][ossf-scorecard-badge]][ossf-scorecard-visualizer]

Node.js body parsing middleware.

Parse incoming request bodies in a middleware before your handlers, available
under the req.body property.

Note As req.body's shape is based on user-controlled input, all
properties and values in this object are untrusted and should be validated
before trusting. For example, req.body.foo.toString() may fail in multiple
ways, for example the foo property may not be there or may not be a string,
and toString may not be a function and instead a string or other user input.

Learn about the anatomy of an HTTP transaction in Node.js.

_This does not handle multipart bodies_, due to their complex and typically
large nature. For multipart bodies, you may be interested in the following
modules:

* busboy and
connect-busboy
* multiparty and
connect-multiparty
* formidable
* multer

This module provides the following parsers:

* JSON body parser
* Raw body parser
* Text body parser
* URL-encoded form body parser

Other body parsers you might be interested in:

- body
- co-body

Installation

``sh $ npm install body-parser`

`API`

`js const bodyParser = require('body-parser')`

The bodyParserobject exposes various factories to create middlewares. All middlewares will populate thereq.bodyproperty with the parsed body when theContent-Type request header matches the type option.

The various errors returned by this module are described in the errors section.

`$3`

Returns middleware that only parses jsonand only looks at requests where theContent-Type header matches the typeoption. This parser accepts any Unicode encoding of the body and supports automatic inflation ofgzip,br (brotli) and deflate encodings.

A new body object containing the parsed data is populated on the requestobject after the middleware (i.e.req.body).

#### Options

The json function takes an optional optionsobject that may contain any of the following keys:

##### defaultCharset

Specify the default character set for the json content if the charset is not specified in theContent-Type header of the request. Defaults to utf-8.

##### inflate

When set to true, then deflated (compressed) bodies will be inflated; whenfalse, deflated bodies are rejected. Defaults to true.

##### limit

Controls the maximum request body size. If this is a number, then the value specifies the number of bytes; if it is a string, the value is passed to the bytes library for parsing. Defaults to'100kb'.

##### reviver

The reviver option is passed directly to JSON.parseas the second argument. You can find more information on this argument in the MDN documentation about JSON.parse.

##### strict

When set to true, will only accept arrays and objects; when falsewill accept anythingJSON.parse accepts. Defaults to true.

##### type

The typeoption is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function,typeoption is passed directly to the type-is library and this can be an extension name (likejson), a mime type (like application/json), or a mime type with a wildcard (like/ or */json). If a function, the typeoption is called asfn(req)and the request is parsed if it returns a truthy value. Defaults toapplication/json.

##### verify

The verify option, if supplied, is called as verify(req, res, buf, encoding), wherebuf is a Buffer of the raw request body and encodingis the encoding of the request. The parsing can be aborted by throwing an error.

`$3`

Returns middleware that parses all bodies as a Bufferand only looks at requests where theContent-Type header matches the typeoption. This parser supports automatic inflation ofgzip, br (brotli) and deflateencodings.

A new body object containing the parsed data is populated on the requestobject after the middleware (i.e.req.body). This will be a Bufferobject of the body.

#### Options

The raw function takes an optional optionsobject that may contain any of the following keys:

##### inflate

When set to true, then deflated (compressed) bodies will be inflated; whenfalse, deflated bodies are rejected. Defaults to true.

##### limit

##### type

The typeoption is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function,typeoption is passed directly to the type-is library and this can be an extension name (likebin), a mime type (likeapplication/octet-stream), or a mime type with a wildcard (like /orapplication/*). If a function, the type option is called as fn(req)and the request is parsed if it returns a truthy value. Defaults toapplication/octet-stream.

##### verify

`$3`

Returns middleware that parses all bodies as a string and only looks at requests where theContent-Type header matches the typeoption. This parser supports automatic inflation ofgzip, br (brotli) and deflateencodings.

A new body string containing the parsed data is populated on the requestobject after the middleware (i.e.req.body). This will be a string of the body.

#### Options

The text function takes an optional optionsobject that may contain any of the following keys:

##### defaultCharset

Specify the default character set for the text content if the charset is not specified in theContent-Type header of the request. Defaults to utf-8.

##### inflate

When set to true, then deflated (compressed) bodies will be inflated; whenfalse, deflated bodies are rejected. Defaults to true.

##### limit

##### type

The typeoption is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function,typeoption is passed directly to the type-is library and this can be an extension name (liketxt), a mime type (like text/plain), or a mime type with a wildcard (like/ or text/*). If a function, the typeoption is called asfn(req)and the request is parsed if it returns a truthy value. Defaults totext/plain.

##### verify

`$3`

Returns middleware that only parses urlencodedbodies and only looks at requests where theContent-Type header matches the typeoption. This parser accepts only UTF-8 and ISO-8859-1 encodings of the body and supports automatic inflation ofgzip, br (brotli) and deflate encodings.

A new body object containing the parsed data is populated on the requestobject after the middleware (i.e.req.body). This object will contain key-value pairs, where the value can be a string or array (whenextendedisfalse), or any type (when extended is true).

#### Options

The urlencoded function takes an optional optionsobject that may contain any of the following keys:

##### extended

The "extended" syntax allows for rich objects and arrays to be encoded into the URL-encoded format, allowing for a JSON-like experience with URL-encoded. For more information, please see the qs library.

Defaults to false.

##### inflate

When set to true, then deflated (compressed) bodies will be inflated; whenfalse, deflated bodies are rejected. Defaults to true.

##### limit

##### parameterLimit

The parameterLimitoption controls the maximum number of parameters that are allowed in the URL-encoded data. If a request contains more parameters than this value, a 413 will be returned to the client. Defaults to1000.

##### type

The typeoption is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function,typeoption is passed directly to the type-is library and this can be an extension name (likeurlencoded), a mime type (likeapplication/x-www-form-urlencoded), or a mime type with a wildcard (like*/x-www-form-urlencoded). If a function, the typeoption is called asfn(req)and the request is parsed if it returns a truthy value. Defaults toapplication/x-www-form-urlencoded.

##### verify

##### defaultCharset

The default charset to parse as, if not specified in content-type. Must be eitherutf-8 or iso-8859-1. Defaults to utf-8.

##### charsetSentinel

Whether to let the value of the utf8parameter take precedence as the charset selector. It requires the form to contain a parameter namedutf8with a value of✓. Defaults to false.

##### interpretNumericEntities

Whether to decode numeric entities such as ☺when parsing an iso-8859-1 form. Defaults tofalse.

##### depth

The depth option is used to configure the maximum depth of the qs library when extended is true. This allows you to limit the amount of keys that are parsed and can be useful to prevent certain types of abuse. Defaults to 32. It is recommended to keep this value as low as possible.

`Errors`

The middlewares provided by this module create errors using thehttp-errors module. The errors will typically have astatus/statusCodeproperty that contains the suggested HTTP response code, anexpose property to determine if the messageproperty should be displayed to the client, atypeproperty to determine the type of error without matching against themessage, and a bodyproperty containing the read body, if available.

The following are the common errors created, though any error can come through for various reasons.

`$3`

This error will occur when the request had a Content-Encodingheader that contained an encoding but the "inflation" option was set tofalse. Thestatus property is set to 415, the typeproperty is set to'encoding.unsupported', and the charsetproperty will be set to the encoding that is unsupported.

`$3`

This error will occur when the request contained an entity that could not be parsed by the middleware. Thestatus property is set to 400, the typeproperty is set to'entity.parse.failed', and the bodyproperty is set to the entity value that failed parsing.

`$3`

This error will occur when the request contained an entity that could not be failed verification by the definedverify option. The statusproperty is set to403, the type property is set to 'entity.verify.failed', and thebody property is set to the entity value that failed verification.

`$3`

This error will occur when the request is aborted by the client before reading the body has finished. Thereceivedproperty will be set to the number of bytes received before the request was aborted and theexpectedproperty is set to the number of expected bytes. Thestatus property is set to 400andtype property is set to 'request.aborted'.

`$3`

This error will occur when the request body's size is larger than the "limit" option. Thelimit property will be set to the byte limit and the lengthproperty will be set to the request body's length. Thestatusproperty is set to413 and the type property is set to 'entity.too.large'.

`$3`

This error will occur when the request's length did not match the length from theContent-Lengthheader. This typically occurs when the request is malformed, typically when theContent-Lengthheader was calculated based on characters instead of bytes. Thestatus property is set to 400 and the typeproperty is set to'request.size.invalid'.

`$3`

This error will occur when something called the req.setEncodingmethod prior to this middleware. This module operates directly on bytes only and you cannot callreq.setEncoding when using this module. The statusproperty is set to500 and the type property is set to 'stream.encoding.set'.

`$3`

This error will occur when the request is no longer readable when this middleware attempts to read it. This typically means something other than a middleware from this module read the request body already and the middleware was also configured to read the same request. Thestatus property is set to 500 and the typeproperty is set to'stream.not.readable'.

`$3`

This error will occur when the content of the request exceeds the configuredparameterLimit for the urlencoded parser. The statusproperty is set to413 and the type property is set to 'parameters.too.many'.

`$3`

This error will occur when the request had a charset parameter in theContent-Type header, but the iconv-litemodule does not support it OR the parser does not support it. The charset is contained in the message as well as in thecharset property. The status property is set to 415, thetype property is set to 'charset.unsupported', and the charsetproperty is set to the charset that is unsupported.

`$3`

This error will occur when the request had a Content-Encodingheader that contained an unsupported encoding. The encoding is contained in the message as well as in theencoding property. The status property is set to 415, thetype property is set to 'encoding.unsupported', and the encodingproperty is set to the encoding that is unsupported.

`$3`

This error occurs when using bodyParser.urlencoded with the extended property set to true and the input exceeds the configured depth option. The status property is set to 400. It is recommended to review the depth option and evaluate if it requires a higher value. When the depth option is set to 32 (default value), the error will not be thrown.

`Examples`

`$3`

This example demonstrates adding a generic JSON and URL-encoded parser as a top-level middleware, which will parse the bodies of all incoming requests. This is the simplest setup.

`js const express = require('express') const bodyParser = require('body-parser')

const app = express()

// parse application/x-www-form-urlencoded app.use(bodyParser.urlencoded())

// parse application/json app.use(bodyParser.json())

app.use(function (req, res) { res.setHeader('Content-Type', 'text/plain') res.write('you posted:\n') res.end(String(JSON.stringify(req.body, null, 2))) })`

`$3`

This example demonstrates adding body parsers specifically to the routes that need them. In general, this is the most recommended way to use body-parser with Express.

`js const express = require('express') const bodyParser = require('body-parser')

const app = express()

// create application/json parser const jsonParser = bodyParser.json()

// create application/x-www-form-urlencoded parser const urlencodedParser = bodyParser.urlencoded()

// POST /login gets urlencoded bodies app.post('/login', urlencodedParser, function (req, res) { if (!req.body || !req.body.username) res.sendStatus(400) res.send('welcome, ' + req.body.username) })

// POST /api/users gets JSON bodies app.post('/api/users', jsonParser, function (req, res) { if (!req.body) res.sendStatus(400) // create user in req.body })`

`$3`

All the parsers accept a typeoption which allows you to change theContent-Type that the middleware will parse.

`js const express = require('express') const bodyParser = require('body-parser')

const app = express()

// parse various different custom JSON types as JSON app.use(bodyParser.json({ type: 'application/*+json' }))

// parse some custom thing into a Buffer app.use(bodyParser.raw({ type: 'application/vnd.custom-type' }))

// parse an HTML body into a string app.use(bodyParser.text({ type: 'text/html' }))``

License

MIT

[ci-image]: https://img.shields.io/github/actions/workflow/status/expressjs/body-parser/ci.yml?branch=master&label=ci
[ci-url]: https://github.com/expressjs/body-parser/actions/workflows/ci.yml
[coveralls-image]: https://img.shields.io/coverallsCoverage/github/expressjs/body-parser?branch=master
[coveralls-url]: https://coveralls.io/r/expressjs/body-parser?branch=master
[npm-downloads-image]: https://img.shields.io/npm/dm/body-parser
[npm-url]: https://npmjs.com/package/body-parser
[npm-version-image]: https://img.shields.io/npm/v/body-parser
[ossf-scorecard-badge]: https://api.scorecard.dev/projects/github.com/expressjs/body-parser/badge
[ossf-scorecard-visualizer]: https://ossf.github.io/scorecard-visualizer/#/projects/github.com/expressjs/body-parser

body-parser

Node.js body parsing middleware.

Parse incoming request bodies in a middleware before your handlers, available
under the req.body property.

Learn about the anatomy of an HTTP transaction in Node.js.

_This does not handle multipart bodies_, due to their complex and typically
large nature. For multipart bodies, you may be interested in the following
modules:

* busboy and
connect-busboy
* multiparty and
connect-multiparty
* formidable
* multer

This module provides the following parsers:

* JSON body parser
* Raw body parser
* Text body parser
* URL-encoded form body parser

Other body parsers you might be interested in:

- body
- co-body

Installation

``sh $ npm install body-parser`

`API`

`js const bodyParser = require('body-parser')`

The various errors returned by this module are described in the errors section.

`$3`

A new body object containing the parsed data is populated on the requestobject after the middleware (i.e.req.body).

#### Options

The json function takes an optional optionsobject that may contain any of the following keys:

##### defaultCharset

Specify the default character set for the json content if the charset is not specified in theContent-Type header of the request. Defaults to utf-8.

##### inflate

When set to true, then deflated (compressed) bodies will be inflated; whenfalse, deflated bodies are rejected. Defaults to true.

##### limit

##### reviver

The reviver option is passed directly to JSON.parseas the second argument. You can find more information on this argument in the MDN documentation about JSON.parse.

##### strict

When set to true, will only accept arrays and objects; when falsewill accept anythingJSON.parse accepts. Defaults to true.

##### type

##### verify

`$3`

A new body object containing the parsed data is populated on the requestobject after the middleware (i.e.req.body). This will be a Bufferobject of the body.

#### Options

The raw function takes an optional optionsobject that may contain any of the following keys:

##### inflate

When set to true, then deflated (compressed) bodies will be inflated; whenfalse, deflated bodies are rejected. Defaults to true.

##### limit

##### type

The typeoption is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function,typeoption is passed directly to the type-is library and this can be an extension name (likebin), a mime type (likeapplication/octet-stream), or a mime type with a wildcard (like /orapplication/*). If a function, the type option is called as fn(req)and the request is parsed if it returns a truthy value. Defaults toapplication/octet-stream.

##### verify

`$3`

A new body string containing the parsed data is populated on the requestobject after the middleware (i.e.req.body). This will be a string of the body.

#### Options

The text function takes an optional optionsobject that may contain any of the following keys:

##### defaultCharset

Specify the default character set for the text content if the charset is not specified in theContent-Type header of the request. Defaults to utf-8.

##### inflate

When set to true, then deflated (compressed) bodies will be inflated; whenfalse, deflated bodies are rejected. Defaults to true.

##### limit

##### type

The typeoption is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function,typeoption is passed directly to the type-is library and this can be an extension name (liketxt), a mime type (like text/plain), or a mime type with a wildcard (like/ or text/*). If a function, the typeoption is called asfn(req)and the request is parsed if it returns a truthy value. Defaults totext/plain.

##### verify

`$3`

#### Options

The urlencoded function takes an optional optionsobject that may contain any of the following keys:

##### extended

Defaults to false.

##### inflate

When set to true, then deflated (compressed) bodies will be inflated; whenfalse, deflated bodies are rejected. Defaults to true.

##### limit

##### parameterLimit

##### type

The typeoption is used to determine what media type the middleware will parse. This option can be a string, array of strings, or a function. If not a function,typeoption is passed directly to the type-is library and this can be an extension name (likeurlencoded), a mime type (likeapplication/x-www-form-urlencoded), or a mime type with a wildcard (like*/x-www-form-urlencoded). If a function, the typeoption is called asfn(req)and the request is parsed if it returns a truthy value. Defaults toapplication/x-www-form-urlencoded.

##### verify

##### defaultCharset

The default charset to parse as, if not specified in content-type. Must be eitherutf-8 or iso-8859-1. Defaults to utf-8.

##### charsetSentinel

Whether to let the value of the utf8parameter take precedence as the charset selector. It requires the form to contain a parameter namedutf8with a value of✓. Defaults to false.

##### interpretNumericEntities

Whether to decode numeric entities such as ☺when parsing an iso-8859-1 form. Defaults tofalse.

##### depth

`Errors`

The following are the common errors created, though any error can come through for various reasons.

`$3`

`Examples`

`$3`

This example demonstrates adding a generic JSON and URL-encoded parser as a top-level middleware, which will parse the bodies of all incoming requests. This is the simplest setup.

`js const express = require('express') const bodyParser = require('body-parser')

const app = express()

// parse application/x-www-form-urlencoded app.use(bodyParser.urlencoded())

// parse application/json app.use(bodyParser.json())

app.use(function (req, res) { res.setHeader('Content-Type', 'text/plain') res.write('you posted:\n') res.end(String(JSON.stringify(req.body, null, 2))) })`

`$3`

This example demonstrates adding body parsers specifically to the routes that need them. In general, this is the most recommended way to use body-parser with Express.

`js const express = require('express') const bodyParser = require('body-parser')

const app = express()

// create application/json parser const jsonParser = bodyParser.json()

// create application/x-www-form-urlencoded parser const urlencodedParser = bodyParser.urlencoded()

// POST /api/users gets JSON bodies app.post('/api/users', jsonParser, function (req, res) { if (!req.body) res.sendStatus(400) // create user in req.body })`

`$3`

All the parsers accept a typeoption which allows you to change theContent-Type that the middleware will parse.

`js const express = require('express') const bodyParser = require('body-parser')

const app = express()

// parse various different custom JSON types as JSON app.use(bodyParser.json({ type: 'application/*+json' }))

// parse some custom thing into a Buffer app.use(bodyParser.raw({ type: 'application/vnd.custom-type' }))

// parse an HTML body into a string app.use(bodyParser.text({ type: 'text/html' }))``

License

MIT

body-parser

Dist Tags

body-parser

Installation

API

$3

$3

$3

$3

Errors

$3

$3

$3

$3

$3

$3

$3

$3

$3

$3

$3

$3

Examples

$3

$3

$3

License

body-parser

Dist Tags

body-parser

Installation

API

$3

$3

$3

$3

Errors

$3

$3

$3

$3

$3

$3

$3

$3

$3

$3

$3

$3

Examples

$3

$3

$3

License

`API`

`$3`

`$3`

`$3`

`$3`

`Errors`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`Examples`

`$3`

`$3`

`$3`

`API`

`$3`

`$3`

`$3`

`$3`

`Errors`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`$3`

`Examples`

`$3`

`$3`

`$3`