nestia
nestia copied to clipboard
Unexploitable Error Reporting in API Responses
Hello @samchon ,
When sending requests that contain multiple typia errors, the API appears to halt and return an error response upon encountering the first error. This behavior means we need to go through multiple rounds of request correction to uncover and handle all the errors in the original request.
Here is an example:
{
"status": 400,
"error": "Bad Request",
"message": "Validation failed",
"details": [
{
"path": "email",
"message": "Must be a valid email address"
},
{
"path": "password",
"message": "Must be at least 8 characters"
}
]
}
If you've installed nestia through npx nestia setup
command, then you can see such comment in plugins
option. Change the validate: assert
property value to validate: validate
, then you may come true what want.
https://github.com/samchon/backend/blob/ed058fae2875533a1c201c4a757f45c22ca1326b/tsconfig.json#L69-L89
Thanks you! This should be the default behavior.
@benoit-scnd
The reason why validate()
function has not been chosen as default is, if do so, hackers can easily attack backend server just by sending large vulnerable JSON data. Despite typia
is 20,000x faster than class-validator
, the validation process uses main thread operation and it stops entire server during the operation.
It is the reason why I've selected assert()
function to be default.
In actually, you can easily spoil NestJS backend server just by sending invalid and large JSON data, because
class-validator
only can validate 3MB per a second.
Anyway, I had to write guide documents about this issue, but have delayed for a long time.
I'll keep this issue, and will close after writing guide documents as FAQ corner in someday (cannot sure when).