feathers-hooks-common icon indicating copy to clipboard operation
feathers-hooks-common copied to clipboard

Published 20 hours ago verified publisher icon feathersjs-ecosystem

paramsFromClient pollutes context by default

Open FossPrime opened this issue 2 years ago • 1 comments
trafficstars

https://github.com/feathersjs-ecosystem/feathers-hooks-common/blob/15ddaa6f12df8410bdfd2461ac02d46cbdd086ed/src/hooks/params-from-client.ts#L22

While whitelisting is a good security feature, it is the adapter's job to complain about invalid query parameters, not ours.

It makes it difficult to compose hooks with this as it damages the context if used at app level/around/provider and also in services.

Proposal:

   const foreignParamCount = 0
    // in an Object.keys(ctx.params.query?.$client) loop, foreignParamCount++
	if (foreignParamCount === 0) {
      delete ctx.params.query.$client
    }

The alternative is to dump repetitive code like this in all over userland hooks:

delete ctx.params.query.$client.sudo
if (Object.keys(ctx.params.query.$client).length === 0) {
  delete ctx.params.query.$client
}

FossPrime avatar Aug 30 '23 19:08 FossPrime