• Can we talk more about middleware?

    All the code we write, plus Express, EJS, etc. comes under the umbrella of "middleware". But maybe you meant one of the following questions.

  • confused a bit about middleware functions?

    Express is designed as a kind of pipeline, where the request and response objects are passed from function to function until eventually it reaches our endpoint handler.

    Each of those functions can do something useful, maybe add some behavior.

    We have middleware to parse the query string, to handle requests for static files, to handle cookies, to create session objects, to add the "flashing" behavior, and more.

  • I would like to learn more about the Multer middle-ware and what functionality it gives us.

    The milter middleware parses multi-part forms and puts the files into the request object for us.

  • I got a little tricked up on question 1. For answer choices C and D, these are actions that are good to take for security, but are they necessarily required/mandatory? 
    A form to upload a file
    A. Has code to access the local filesystem of the client computer
    B. Has a new input type to browse the filesystem
    C. Has to specify the MIME type of the uploaded file
    D. Has to limit the size of the uploaded file.

    (A) would be a security violation;

    (B) is correct, we use type=file;

    (C) is possible but not required. We should check the MIME type on the server side;

    (D) is not possible; we limit file size on the server side.

  • How does <input type="file"> work?

    It opens up a little window in the browser that allows the user to choose a file from their computer to upload. It's important that the user be involved, otherwise websites could grab files from your computer without your knowledge.

  • Can you elaborate on the advantages/challenges associated with storing uploaded files in the filesystem vs. the database?

    If you store files in the filesystem, you can access them with normal tools like "ls", you can edit them with VS Code or PhotoShop, and you can easily delete them.

    If you store them in the database, they are more secure, but less convenient.

    We are using the diskStorage configuration of Multer.

  • When the website is rendered, does the browser get all the uploaded files in the upload directory?

    Not automatically. But it can request them.

  • What does MIME stand for? Is MIME just the type of the data?

    Multipart Internet Mail Extensions, since it was first invented for attaching files to email messages.

  • I am still a bit confused about res.sendFile(path.join(__dirname, pathname)); how the trick prevents unauthorized users to access the photo with the URL

    That's not where the "trick" is. The trick is earlier: 

    
if(!isAuthorizedToView(username, fileDoc.owner)) {
        console.log("not authorized");
        req.flash('info', "You are not authorized to view this file")
        return res.redirect('/myphotos');
    }
    return res.sendFile(path.join(__dirname, pathname));

    We only get to the sendFile if they are authorized.

  • "I don't really understand 
        upload.single('photo')
    and how it is used in 
    app.post('/upload', upload.single('photo'), async (req, res) => {.
    I also don't really get how 
    return res.sendFile(path.join(__dirname, pathname));
    works. I am a little confused about these: 
    const DB = process.env.USER;
const FILES = 'filesOwned';
const USERS = 'fileOwners';

    Are FILE and USERS new directories created in my local environment? Does these only allow access to files on my local machine?"

    They are MongoDB collections, where we store info about the files.

    The files are on the CS server, where Node.js is running.