Unexploitable Error Reporting in API Responses

[benoit-scnd]

Hello @samchon ,

When sending requests that contain multiple typia errors, the API appears to halt and return an error response upon encountering the first error. This behavior means we need to go through multiple rounds of request correction to uncover and handle all the errors in the original request.

Here is an example:

{
    "status": 400,
    "error": "Bad Request",
    "message": "Validation failed",
    "details": [
        {
            "path": "email",
            "message": "Must be a valid email address"
        },
        {
            "path": "password",
            "message": "Must be at least 8 characters"
        }
    ]
}

[samchon]

If you've installed nestia through npx nestia setup command, then you can see such comment in plugins option. Change the validate: assert property value to validate: validate, then you may come true what want.

https://github.com/samchon/backend/blob/ed058fae2875533a1c201c4a757f45c22ca1326b/tsconfig.json#L69-L89

[benoit-scnd]

Thanks you! This should be the default behavior.

[samchon]

@benoit-scnd

The reason why validate() function has not been chosen as default is, if do so, hackers can easily attack backend server just by sending large vulnerable JSON data. Despite typia is 20,000x faster than class-validator, the validation process uses main thread operation and it stops entire server during the operation.

It is the reason why I've selected assert() function to be default.

In actually, you can easily spoil NestJS backend server just by sending invalid and large JSON data, because class-validator only can validate 3MB per a second.

[samchon]

Anyway, I had to write guide documents about this issue, but have delayed for a long time.

I'll keep this issue, and will close after writing guide documents as FAQ corner in someday (cannot sure when).