echo icon indicating copy to clipboard operation
echo copied to clipboard

Published 20 hours ago verified publisher icon labstack

When `c.bind()` fails with a type error on POST'd form data the `inputfieldname` is not available

Open oschonrock opened this issue 10 months ago • 3 comments

Issue Description

When using echo for a web application sending HTML and receiving MIMEApplicationForm POST requests, it seems very difficult / impossible to show helpful validation error messages to the user, when using echo.context.bind().

For any string data coming from the MIMEApplicationForm submit which cannot be converted to the target type in the "DTO" struct provided, echo.context.bind() returns a generic error that gives no information about which struct/form field failed validation.

This makes it very difficult or impossible to render a helpful message to the user like "The number field should contain an integer". when the failed form is re-rendered in the browser.

This issue is also discussed here: https://stackoverflow.com/a/77712569/1087626

The issue apparently does not exist when dealing with JSON data rather than MIMEApplicationForm

Checklist

  • [x] Dependencies installed
  • [x] No typos
  • [x] Searched existing issues and docs

Expected behaviour

For the error returned from context.bind() to return some information about which field failed type conversion

Actual behaviour

The error returned from context.bind() contains no information about the form field which failed type conversion.

Steps to reproduce

server as below, then POST a non-integer to be bound into an integer field

$ curl localhost:8080/submit -d"number=10a"
code=400, message=strconv.ParseInt: parsing "10a": invalid syntax, internal=strconv.ParseInt: parsing "10a": invalid syntax

Working code to debug

package main

import (
	"fmt"
	"net/http"

	"github.com/labstack/echo/v4"
)

type DTO struct {
	Number int     `form:"number"`
}

func main() {
	e := echo.New()
	e.POST("/submit", func(c echo.Context) error {
		dto := DTO{}
		if err := c.Bind(&dto); err != nil {
			return c.String(http.StatusBadRequest, err.Error() + "\n")
		}
		return c.String(http.StatusOK, fmt.Sprint(dto) + "\n")
	})
	addr := "127.0.0.1:8080"
	e.Logger.Fatal(e.Start(addr))
}

The following diff shows that the desired "fieldname" information is available in the relevant part of bind.go and could return that info with the error:

--- /home/oliver/bind.go	2024-04-24 17:01:48.429244184 +0100
+++ /home/oliver/go/pkg/mod/github.com/labstack/echo/[email protected]/bind.go	2024-04-24 17:09:46.881545243 +0100
@@ -263,7 +263,7 @@
 		}
 
 		if err := setWithProperType(structFieldKind, inputValue[0], structField); err != nil {
-			return err
+			return fmt.Errorf("%s: %w", inputFieldName, err)
 		}
 	}
 	return nil

This may not be the preferred way to fix it (and would require some string parsing of the error message to get the desired info) but it shows a proof of concept solution.

The result with the above fix is:

$ curl localhost:8080/submit -d"number=10a"
code=400, message=number: strconv.ParseInt: parsing "10a": invalid syntax, internal=number: strconv.ParseInt: parsing "10a": invalid syntax

Version/commit

v4.12

oschonrock avatar Apr 24 '24 16:04 oschonrock

to make this work for time.Time fields we also need this:

$ diff -u ~/bind.go ~/go/pkg/mod/github.com/labstack/echo/[email protected]/bind.go 
--- /home/oliver/bind.go	2024-04-24 17:01:48.429244184 +0100
+++ /home/oliver/go/pkg/mod/github.com/labstack/echo/[email protected]/bind.go	2024-04-24 20:16:16.370829698 +0100
@@ -237,7 +237,7 @@
 
 		if ok, err := unmarshalInputToField(typeField.Type.Kind(), inputValue[0], structField); ok {
 			if err != nil {
-				return err
+				return fmt.Errorf("%s: %w", inputFieldName, err)
 			}
 			continue
 		}

no doubt there are few more.

If this type of "error wrapping" approach to providing failure context to the caller is what is wanrted, I am happy to create a pull request for the fullest possible set of cases.

oschonrock avatar Apr 24 '24 19:04 oschonrock

If you are in a hurry you could use different binder that does not use struct tags and has errors containing field names. See this example line 34 bErr.Field:

https://github.com/labstack/echo/blob/88c379ff77278f553a0f3c44d27786b5a450b6e9/binder_external_test.go#L25-L38

aldas avatar Apr 24 '24 19:04 aldas

Thanks.

Yes, hadn't tried that. A little more verbose, but very powerful. Supports time format, arrays and required/must. Nice.

echo.BindingError Missing the type information though?

I can't construct an error message for the user saying "we were expecting an integer for field X but you gave us Y"?

oschonrock avatar Apr 24 '24 21:04 oschonrock