npm - @rvoh/psychic - Versions diffs - 1.8.0 → 1.8.1 - Mend

@rvoh/psychic 1.8.0 → 1.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,262 @@
+## 1.8.1
+- do not coerce types in ajv when processing request or response bodies during validation. Type coercion will still happen for headers and query params, since they will need to respect the schema type specified in the openapi docuement.
+## 1.8.0
+- remove unused `clientRoot` config
+## 1.7.2
+- generate admin routes in routes.admin.ts (requires `routes.admin.ts` next to `routes.ts`)
+## 1.7.1
+- compute openapi doc during intiialization, rather than problematically reading from a file cache
+## 1.7.0
+- `sanitizeResponseJson` config to automatically escape `<`, `>`, `&`, `/`, `\`, `'`, and `"` unicode representations when rendering json to satisfy security reviews (e.g., a pentest report recently called this out on one of our applications). For all practical purposes, this doesn't protect against anything (now that we have the `nosniff` header) since `JSON.parse` on the other end restores the original, dangerous string. Modern front end web frameworks already handle safely displaying arbitrary content, so further sanitization generally isn't needed. This version does provide the `sanitizeString` function that could be used to sanitize individual strings, replacing the above characters with string representations of the unicode characters that will survive Psychic converting to json and then parsing that json (i.e.: `<` will end up as the string "\u003c")
+- Fix openapi serializer fallback issue introduced in 1.6.3, where we mistakenly double render data that has already been serialized.
+## 1.6.4
+Raise an exception if attempting to import an openapi file during PsychicApp.init when in production. We will still swallow the exception in non-prod environments so that one can create a new openapi configuration and run sync without getting an error.
+## 1.6.3
+- castParam accepts raw openapi shapes as type arguments, correctly casting the result to an interface representing the provided openapi shape.
+```ts
+class MyController extends ApplicationController {
+  public index() {
+    const myParam = this.castParam('myParam', {
+      type: 'array',
+      items: {
+        anyOf: [{ type: 'string' }, { type: 'number' }],
+      },
+    })
+    myParam[0] // string | number
+  }
+}
+```
+- simplify the needlessly-robust new psychic router patterns by making expressApp optional, essentially reverting us back to the same psychic router we had prior to the recent openapi validation changes.
+- fallback to serializer specified in openapi decorator before falling back to dream serializer when rendering dreams
+## 1.6.2
+fix OpenAPI spec generation by DRYing up generation of request and response body
+## 1.6.1
+fix issue preventing validation fallbacks from properly overriding on OpenAPI decorator calls when explicitly opting out of validation
+## 1.6.0
+enables validation to be added to both openapi configurations, as well as to `OpenAPI` decorator calls, enabling the developer to granularly control validation logic for their endpoints.
+To leverage global config:
+```ts
+// conf/app.ts
+export default async (psy: PsychicApp) => {
+  ...
+  psy.set('openapi', {
+    // ...
+    validate: {
+      headers: true,
+      requestBody: true,
+      query: true,
+      responseBody: AppEnv.isTest,
+    },
+  })
+}
+```
+To leverage endpoint config:
+```ts
+// controllers/PetsController
+export default class PetsController {
+  @OpenAPI(Pet, {
+    ...
+    validate: {
+      headers: true,
+      requestBody: true,
+      query: true,
+      responseBody: AppEnv.isTest,
+    }
+  })
+  public async index() {
+    ...
+  }
+}
+```
+This PR additionally formally introduces a new possible error type for 400 status codes, and to help distinguish, it also introduces a `type` field, which can be either `openapi` or `dream` to aid the developer in easily handling the various cases.
+We have made a conscious decision to render openapi errors in the exact format that ajv returns, since it empowers the developer to utilize tools which can already respond to ajv errors.
+For added flexibility, this PR includes the ability to provide configuration overrides for the ajv instance, as well as the ability to provide an initialization function to override ajv behavior, since much of the configuration for ajv is driven by method calls, rather than simple config.
+```ts
+// controllers/PetsController
+export default class PetsController {
+  @OpenAPI(Pet, {
+    ...
+    validate: {
+      ajvOptions: {
+        // this is off by default, but you will
+        // always want to keep this off in prod
+        // to avoid DoS vulnerabilities
+        allErrors: AppEnv.isTest,
+        // provide a custom init function to further
+        // configure your ajv instance before validating
+        init: ajv => {
+          ajv.addFormat('myFormat', {
+            type: 'string',
+            validate: data => MY_FORMAT_REGEX.test(data),
+          })
+        }
+      }
+    }
+  })
+  public async index() {
+    ...
+  }
+}
+```
+## 1.5.5
+- ensure that openapi-typescript and typescript are not required dependencies when running migrations with --skip-sync flag
+## 1.5.4
+- fix issue when providing the `including` argument exclusively to an OpenAPI decorator's `requestBody`
+## 1.5.3
+- add missing peer dependency for openapi-typescript, allow BIGINT type when generating openapi-typescript bigints
+## 1.5.2
+- ensure that bigints are converted to number | string when generating openapi-typescript type files
+## 1.5.1
+- fix issue with enum syncing related to multi-db engine support regression
+## 1.5.0
+- add support for multiple database engines in dream
+## 1.2.3
+- add support for the connectionName argument when generating a resource
+## 1.2.2
+- bump supertest and express-session to close dependabot issues [53](https://github.com/rvohealth/psychic/security/dependabot/53), [56](https://github.com/rvohealth/psychic/security/dependabot/56), and [57](https://github.com/rvohealth/psychic/security/dependabot/57)
+## 1.2.1
+- add ability to set custom import extension, which will be used when generating new files for your application
+## 1.2.0
+- update for Dream 1.4.0
+## 1.1.11
+- 400 is more appropriate than 422 for `DataTypeColumnTypeMismatch`
+## 1.1.10
+- Don't include deletedAt in generated create/update actions in resource specs since deletedAt is for deleting
+- return 422 if Dream throws `NotNullViolation` or `CheckConstraintViolation`
+## 1.1.9
+- return 422 if dream throws `DataTypeColumnTypeMismatch`, which happens when a dream is saved to the database with data that cannot be inserted into the respective columns, usually because of a type mismatch.
+- castParam will now encase params in an array when being explicitly casted as an array type, bypassing a known bug in express from causing arrays with single items in them to be treated as non-arrays.
+## 1.1.8
+- Tap into CliFileWriter provided by dream to tap into file reversion for sync files, since the auto-sync function in psychic can fail and leave your file tree in a bad state.
+## 1.1.7
+- Add support for middleware arrays, enabling express plugins like passport
+## 1.1.6
+- fix regression caused by missing --schema-only option in psychic cli
+## 1.1.5
+- pass packageManager through to dream, now that it accepts a packageManager setting.
+- update dream shadowing within psychic application initialization to take place after initializers and plugins are processed, so that those initializers and plugins have an opportunity to adjust the settings.
+## 1.1.4
+- fix regressions to redux bindings caused by default openapi path location changes
+- resource generator can handle prefixing slashes
+## 1.1.3
+- fix more minor issues with redux openapi bindings
+## 1.1.2
+- Fix various issues with openapi redux bindings
+- raise hard exception if accidentally using openapi route params in an expressjs route path
+## 1.1.1
+Fix route printing regression causing route printouts to show the path instead of the action
+## v1.1.0
+Provides easier access to express middleware by exposing `PsychicApp#use`, which enables a developer to provide express middleware directly through the psychcic application, without tapping into any hooks.
+```ts
+psy.use((_, res) => {
+  res.send(
+    'this will be run after psychic middleware (i.e. cors and bodyParser) are processed, but before routes are processed',
+  )
+})
+```
+Some middleware needs to be run before other middleware, so we expose an optional first argument which can be provided so explicitly send your middleware into express at various stages of the psychic configuration process. For example, to inject your middleware before cors and bodyParser are configured, provide `before-middleware` as the first argument. To initialize your middleware after the psychic default middleware, but before your routes have been processed, provide `after-middleware` as the first argument (or simply provide a callback function directly, since this is the default). To run after routes have been processed, provide `after-routes` as the first argument.
+```ts
+psy.use('before-middleware', (_, res) => {
+  res.send('this will be run before psychic has configured any default middleware')
+})
+psy.use('after-middleware', (_, res) => {
+  res.send('this will be run after psychic has configured default middleware')
+})
+psy.use('after-routes', (_, res) => {
+  res.send('this will be run after psychic has processed all the routes in your conf/routes.ts file')
+})
+```
+Additionally, a new overload has been added to all CRUD methods on the PsychicRouter class, enabling you to provide RequestHandler middleware directly to psychic, like so:
+```ts
+// conf/routes.ts
+r.get('helloworld', (req, res, next) => {
+  res.json({ hello: 'world' })
+})
+```

package/dist/cjs/src/helpers/validateOpenApiSchema.js CHANGED Viewed

@@ -46,8 +46,6 @@ const ajv_formats_1 = __importDefault(require("ajv-formats"));
 function validateOpenApiSchema(data, openapiSchema, options = {}) {
     return validateObject(data, openapiSchema, {
         removeAdditional: 'failing', // Remove properties that fail validation
-        useDefaults: true,
-        coerceTypes: true,
         ...options,
     });
 }
@@ -112,9 +110,10 @@ function createValidator(schema, options = {}) {
     const ajv = new ajv_1.Ajv({
         removeAdditional: false,
         useDefaults: true,
-        coerceTypes: true,
-        strict: false, // Allow unknown keywords for OpenAPI compatibility
-        allErrors: options.allErrors || false, // Collect all errors, not just the first one
+        strict: false,
+        coerceTypes: false,
+        strictTypes: true,
+        allErrors: false,
         validateFormats: true, // Enable format validation for date-time, email, etc.
         ...ajvOptions,
     });

package/dist/cjs/src/openapi-renderer/helpers/OpenapiPayloadValidator.js CHANGED Viewed

@@ -209,7 +209,7 @@ class OpenapiPayloadValidator {
     validateOrFail(
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     data, openapiSchema, target) {
-        const validationResults = (0, validateOpenApiSchema_js_1.default)(data || {}, this.addComponentsToSchema(openapiSchema), this.getAjvOptions());
+        const validationResults = (0, validateOpenApiSchema_js_1.default)(data || {}, this.addComponentsToSchema(openapiSchema), this.getAjvOptions(target));
         if (!validationResults.isValid) {
             const errorClass = target === 'responseBody' ? OpenapResponseValidationFailure_js_1.default : OpenapiRequestValidationFailure_js_1.default;
             throw new errorClass(validationResults.errors || [], target);
@@ -242,12 +242,17 @@ class OpenapiPayloadValidator {
      * which is automatically handled by psychic and turned into a 400
      * with the respective errors attached.
      */
-    getAjvOptions() {
+    getAjvOptions(target) {
         const rendererOpts = this.openapiEndpointRenderer['validate']?.['ajvOptions'];
         const openapiConf = index_js_1.default.getOrFail().openapi?.[this.openapiName];
         return {
             ...openapiConf?.validate?.ajvOptions,
             ...rendererOpts,
+            // if headers or query, we want to levarage ajv type coercion,
+            // so that a query or header parameter can have a type of i.e. number
+            // or boolean without failing to coerce, since by default our
+            // ajv instance will be instantiated with coerceTypes=false
+            coerceTypes: target === 'headers' || target === 'query',
         };
     }
 }

package/dist/cjs/src/server/params.js CHANGED Viewed

@@ -299,7 +299,7 @@ class Params {
                 return paramValue.map(param => this.cast(paramName, param, arrayTypeToNonArrayType(expectedType), { ...opts, allowNull: true }));
             default:
                 if (this.shouldUseOpenapiValidation(expectedType)) {
-                    const res = (0, validateOpenApiSchema_js_1.validateObject)(paramValue, expectedType);
+                    const res = (0, validateOpenApiSchema_js_1.validateObject)(paramValue, expectedType, { coerceTypes: true });
                     if (res.isValid) {
                         return res.data;
                     }

package/dist/esm/src/helpers/validateOpenApiSchema.js CHANGED Viewed

@@ -38,8 +38,6 @@ import addFormats from 'ajv-formats';
 export default function validateOpenApiSchema(data, openapiSchema, options = {}) {
     return validateObject(data, openapiSchema, {
         removeAdditional: 'failing', // Remove properties that fail validation
-        useDefaults: true,
-        coerceTypes: true,
         ...options,
     });
 }
@@ -104,9 +102,10 @@ export function createValidator(schema, options = {}) {
     const ajv = new Ajv({
         removeAdditional: false,
         useDefaults: true,
-        coerceTypes: true,
-        strict: false, // Allow unknown keywords for OpenAPI compatibility
-        allErrors: options.allErrors || false, // Collect all errors, not just the first one
+        strict: false,
+        coerceTypes: false,
+        strictTypes: true,
+        allErrors: false,
         validateFormats: true, // Enable format validation for date-time, email, etc.
         ...ajvOptions,
     });

package/dist/esm/src/openapi-renderer/helpers/OpenapiPayloadValidator.js CHANGED Viewed

@@ -204,7 +204,7 @@ export default class OpenapiPayloadValidator {
     validateOrFail(
     // eslint-disable-next-line @typescript-eslint/no-explicit-any
     data, openapiSchema, target) {
-        const validationResults = validateOpenApiSchema(data || {}, this.addComponentsToSchema(openapiSchema), this.getAjvOptions());
+        const validationResults = validateOpenApiSchema(data || {}, this.addComponentsToSchema(openapiSchema), this.getAjvOptions(target));
         if (!validationResults.isValid) {
             const errorClass = target === 'responseBody' ? OpenapiResponseValidationFailure : OpenapiRequestValidationFailure;
             throw new errorClass(validationResults.errors || [], target);
@@ -237,12 +237,17 @@ export default class OpenapiPayloadValidator {
      * which is automatically handled by psychic and turned into a 400
      * with the respective errors attached.
      */
-    getAjvOptions() {
+    getAjvOptions(target) {
         const rendererOpts = this.openapiEndpointRenderer['validate']?.['ajvOptions'];
         const openapiConf = PsychicApp.getOrFail().openapi?.[this.openapiName];
         return {
             ...openapiConf?.validate?.ajvOptions,
             ...rendererOpts,
+            // if headers or query, we want to levarage ajv type coercion,
+            // so that a query or header parameter can have a type of i.e. number
+            // or boolean without failing to coerce, since by default our
+            // ajv instance will be instantiated with coerceTypes=false
+            coerceTypes: target === 'headers' || target === 'query',
         };
     }
 }

package/dist/esm/src/server/params.js CHANGED Viewed

@@ -294,7 +294,7 @@ export default class Params {
                 return paramValue.map(param => this.cast(paramName, param, arrayTypeToNonArrayType(expectedType), { ...opts, allowNull: true }));
             default:
                 if (this.shouldUseOpenapiValidation(expectedType)) {
-                    const res = validateObject(paramValue, expectedType);
+                    const res = validateObject(paramValue, expectedType, { coerceTypes: true });
                     if (res.isValid) {
                         return res.data;
                     }

package/package.json CHANGED Viewed

@@ -2,7 +2,7 @@
   "type": "module",
   "name": "@rvoh/psychic",
   "description": "Typescript web framework",
-  "version": "1.8.0",
+  "version": "1.8.1",
   "author": "RVOHealth",
   "repository": {
     "type": "git",
@@ -96,4 +96,4 @@
     "winston": "^3.14.2"
   },
   "packageManager": "yarn@4.7.0"
-}
+}