fastify 3.21.5 → 3.23.0

package/build/build-validation.js

@@ -15,6 +15,8 @@ const ajv = new Ajv({
 const defaultInitOptions = {
   connectionTimeout: 0, // 0 sec
   keepAliveTimeout: 5000, // 5 sec
+  maxRequestsPerSocket: 0, // no limit
+  requestTimeout: 0, // no limit
   bodyLimit: 1024 * 1024, // 1 MiB
   caseSensitive: true,
   disableRequestLogging: false,
@@ -47,6 +49,8 @@ const schema = {
   properties: {
     connectionTimeout: { type: 'integer', default: defaultInitOptions.connectionTimeout },
     keepAliveTimeout: { type: 'integer', default: defaultInitOptions.keepAliveTimeout },
+    maxRequestsPerSocket: { type: 'integer', default: defaultInitOptions.maxRequestsPerSocket, nullable: true },
+    requestTimeout: { type: 'integer', default: defaultInitOptions.requestTimeout },
     bodyLimit: { type: 'integer', default: defaultInitOptions.bodyLimit },
     caseSensitive: { type: 'boolean', default: defaultInitOptions.caseSensitive },
     http2: { type: 'boolean' },

package/docs/Ecosystem.md

@@ -187,6 +187,7 @@ Plugins maintained by the Fastify team are listed under [Core](#core) while plug
 - [`fastify-sse`](https://github.com/lolo32/fastify-sse) to provide Server-Sent Events with `reply.sse( … )` to Fastify.
 - [`fastify-sse-v2`](https://github.com/nodefactoryio/fastify-sse-v2) to provide Server-Sent Events using Async Iterators (supports newer versions of Fastify).
 - [`fastify-stripe`](https://github.com/coopflow/fastify-stripe) Plugin to initialize and encapsulate [Stripe Node.js](https://github.com/stripe/stripe-node) instances in Fastify.
+- [`fastify-supabase`](https://github.com/coopflow/fastify-supabase) Plugin to initialize and encapsulate [Supabase](https://github.com/supabase/supabase-js) instances in Fastify.
 - [`fastify-tls-keygen`](https://gitlab.com/sebdeckers/fastify-tls-keygen) Automatically generate a browser-compatible, trusted, self-signed, localhost-only, TLS certificate.
 - [`fastify-tokenize`](https://github.com/Bowser65/fastify-tokenize) [Tokenize](https://github.com/Bowser65/Tokenize) plugin for Fastify that removes the pain of managing authentication tokens, with built-in integration for `fastify-auth`.
 - [`fastify-totp`](https://github.com/heply/fastify-totp) A plugin to handle TOTP (e.g. for 2FA).

package/docs/Hooks.md

@@ -90,7 +90,7 @@ If you are using the `preValidation` hook, you can change the payload before it
 
 ```js
 fastify.addHook('preValidation', (request, reply, done) => {
-  req.body = { ...req.body, importantKey: 'randomString' }
+  request.body = { ...request.body, importantKey: 'randomString' }
   done()
 })
 ```
@@ -98,7 +98,7 @@ Or `async/await`:
 ```js
 fastify.addHook('preValidation', async (request, reply) => {
   const importantKey = await generateRandomString()
-  req.body = { ...req.body, importantKey }
+  request.body = { ...request.body, importantKey }
 })
 ```
 

package/docs/Recommendations.md

@@ -166,62 +166,94 @@ backend static-backend
 ### Nginx
 
 ```nginx
+# This upstream block groups 3 servers into one named backend fastify_app
+# with 2 primary servers distributed via round-robin
+# and one backup which is used when the first 2 are not reachable
+# This also assumes your fastify servers are listening on port 80.
+# more info: http://nginx.org/en/docs/http/ngx_http_upstream_module.html
 upstream fastify_app {
-  # more info: http://nginx.org/en/docs/http/ngx_http_upstream_module.html
   server 10.10.11.1:80;
   server 10.10.11.2:80;
   server 10.10.11.3:80 backup;
 }
 
+# This server block asks NGINX to respond with a redirect when
+# an incoming request from port 80 (typically plain HTTP), to 
+# the same request URL but with HTTPS as protocol.
+# This block is optional, and usually used if you are handling
+# SSL termination in NGINX, like in the example here.
 server {
-  # default server
+  # default server is a special parameter to ask NGINX
+  # to set this server block to the default for this address/port
+  # which in this case is any address and port 80
   listen 80 default_server;
   listen [::]:80 default_server;
   
-  # specify host
+  # With a server_name directive you can also ask NGINX to
+  # use this server block only with matching server name(s)
   # listen 80;
   # listen [::]:80;
   # server_name example.tld;
 
+  # This matches all paths from the request and responds with
+  # the redirect mentioned above.
   location / {
     return 301 https://$host$request_uri;
   }
 }
 
+# This server block asks NGINX to respond to requests from
+# port 443 with SSL enabled and accept HTTP/2 connections.
+# This is where the request is then proxied to the fastify_app
+# server group via port 3000.
 server {
-  # default server
+  # This listen directive asks NGINX to accept requests
+  # coming to any address, port 443, with SSL, and HTTP/2
+  # if possible.
   listen 443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;
-  
-  # specify host
+
+  # With a server_name directive you can also ask NGINX to
+  # use this server block only with matching server name(s)
   # listen 443 ssl http2;
   # listen [::]:443 ssl http2;
   # server_name example.tld;
 
-  # public private keys
+  # Your SSL/TLS certificate (chain) and secret key in the PEM format
   ssl_certificate /path/to/fullchain.pem;
   ssl_certificate_key /path/to/private.pem;
-  ssl_trusted_certificate /path/to/chain.pem;
 
-  # use https://ssl-config.mozilla.org/ for best practice configuration
+  # A generic best practice baseline for based
+  # on https://ssl-config.mozilla.org/
   ssl_session_timeout 1d;
   ssl_session_cache shared:FastifyApp:10m;
   ssl_session_tickets off;
-  
-  # modern configuration
+
+  # This tells NGINX to only accept TLS 1.3, which should be fine
+  # with most modern browsers including IE 11 with certain updates.
+  # If you want to support older browsers you might need to add
+  # additional fallback protocols.
   ssl_protocols TLSv1.3;
   ssl_prefer_server_ciphers off;
-  
-  # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+
+  # This adds a header that tells browsers to only ever use HTTPS
+  # with this server.
   add_header Strict-Transport-Security "max-age=63072000" always;
-  
-  # OCSP stapling
+
+  # The following directives are only necessary if you want to
+  # enable OCSP Stapling.
   ssl_stapling on;
   ssl_stapling_verify on;
+  ssl_trusted_certificate /path/to/chain.pem;
 
-  # custom resolver
+  # Custom nameserver to resolve upstream server names
   # resolver 127.0.0.1;
-      
+
+  # This section matches all paths and proxies it to the backend server
+  # group specified above. Note the additional headers that forward
+  # information about the original request. You might want to set
+  # trustProxy to the address of your NGINX server so the X-Forwarded
+  * fields are used by fastify.
   location / {
     # more info: http://nginx.org/en/docs/http/ngx_http_proxy_module.html
     proxy_http_version 1.1;
@@ -232,8 +264,12 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
-    
-    proxy_pass http://fastify_app:3000;
+
+    # This is the directive that proxies requests to the specified server.
+    # If you are using an upstream group, then you do not need to specify a port.
+    # If you are directly proxying to a server e.g.
+    # proxy_pass http://127.0.0.1:3000 then specify a port.
+    proxy_pass http://fastify_app;
   }
 }
 ```

package/docs/Request.md

@@ -3,7 +3,7 @@
 ## Request
 The first parameter of the handler function is `Request`.<br>
 Request is a core Fastify object containing the following fields:
-- `query` - the parsed querystring, its format is specified by [`querystringParser`](Server.md#querystringParser)
+- `query` - the parsed querystring, its format is specified by [`querystringParser`](Server.md#querystringparser)
 - `body` - the body
 - `params` - the params matching the URL
 - [`headers`](#headers) - the headers getter and setter

package/docs/Server.md

@@ -12,6 +12,8 @@ document describes the properties available in that options object.
 - [https](./Server.md#https)
 - [connectionTimeout](./Server.md#connectiontimeout)
 - [keepAliveTimeout](./Server.md#keepalivetimeout)
+- [maxRequestsPerSocket](./Server.md#maxRequestsPerSocket)
+- [requestTimeout](./Server.md#requestTimeout)
 - [ignoreTrailingSlash](./Server.md#ignoretrailingslash)
 - [maxParamLength](./Server.md#maxparamlength)
 - [onProtoPoisoning](./Server.md#onprotopoisoning)
@@ -25,7 +27,7 @@ document describes the properties available in that options object.
 - [genReqId](./Server.md#genreqid)
 - [trustProxy](./Server.md#trustProxy)
 - [pluginTimeout](./Server.md#plugintimeout)
-- [querystringParser](./Server.md#querystringParser)
+- [querystringParser](./Server.md#querystringparser)
 - [exposeHeadRoutes](./Server.md#exposeheadroutes)
 - [constraints](./Server.md#constraints)
 - [return503OnClosing](./Server.md#return503onclosing)
@@ -82,6 +84,28 @@ is in use. Also, when `serverFactory` option is specified, this option is ignore
 
 + Default: `5000` (5 seconds)
 
+<a name="factory-max-requests-per-socket"></a>
+### `maxRequestsPerSocket`
+
+Defines the maximum number of requests socket can handle before closing keep alive connection. See documentation for
+[`server.maxRequestsPerSocket` property](https://nodejs.org/dist/latest/docs/api/http.html#http_server_maxrequestspersocket)
+to understand the effect of this option. This option only applies when HTTP/1.1
+is in use. Also, when `serverFactory` option is specified, this option is ignored.
+>  At the time of this writing, only node version greater or equal to 16.10.0 support this option. Check the Node.js documentation for availability in the version you are running.
+
++ Default: `0` (no limit)
+
+<a name="factory-request-timeout"></a>
+### `requestTimeout`
+
+Defines the maximum number of milliseconds for receiving the entire request from the client.
+[`server.requestTimeout` property](https://nodejs.org/dist/latest/docs/api/http.html#http_server_requesttimeout)
+to understand the effect of this option. Also, when `serverFactory` option is specified, this option is ignored.
+It must be set to a non-zero value (e.g. 120 seconds) to protect against potential Denial-of-Service attacks in case the server is deployed without a reverse proxy in front.
+>  At the time of this writing, only node version greater or equal to 14.11.0 support this option. Check the Node.js documentation for availability in the version you are running.
+
++ Default: `0` (no limit)
+
 <a name="factory-ignore-slash"></a>
 ### `ignoreTrailingSlash`
 
@@ -298,7 +322,7 @@ fastify.get('/user/:username', (request, reply) => {
 Please note that setting this option to `false` goes against
 [RFC3986](https://tools.ietf.org/html/rfc3986#section-6.2.2.1).
 
-Also note, this setting will not affect query strings. If you want to change the way query strings are handled take a look at [`querystringParser`](./Server.md#querystringParser).
+Also note, this setting will not affect query strings. If you want to change the way query strings are handled take a look at [`querystringParser`](./Server.md#querystringparser).
 
 <a name="factory-request-id-header"></a>
 ### `requestIdHeader`
@@ -468,7 +492,7 @@ Configure the Ajv v6 instance used by Fastify without providing a custom one.
 const fastify = require('fastify')({
   ajv: {
     customOptions: {
-      nullable: false // Refer to [ajv options](https://ajv.js.org/#options)
+      nullable: false // Refer to [ajv options](https://github.com/ajv-validator/ajv/tree/v6#options)
     },
     plugins: [
       require('ajv-merge-patch'),

package/docs/TypeScript.md

@@ -35,6 +35,9 @@ This example will get you up and running with Fastify and TypeScript. It results
     }
   }
   ```
+
+*Note: Set `target` property in `tsconfig.json` to `es2017` or greater to avoid [FastifyDeprecation](https://github.com/fastify/fastify/issues/3284) warning.*
+
 3. Initialize a TypeScript configuration file:
   ```bash
   npx tsc --init

package/docs/Validation-and-Serialization.md

@@ -10,6 +10,10 @@ Fastify uses a schema-based approach, and even if it is not mandatory we recomme
 > user-provided schemas. See [Ajv](https://npm.im/ajv) and
 > [fast-json-stringify](https://npm.im/fast-json-stringify) for more
 > details.
+> 
+> Moreover, the [`$async` Ajv feature](https://ajv.js.org/guide/async-validation.html) should not be used as part of the first validation strategy.
+> This option is used to access Databases and reading them during the validation process may lead to Denial of Service Attacks to your
+> application. If you need to run `async` tasks, use [Fastify's hooks](./Hooks.md) instead after validation completes, such as `preHandler`.
 
 
 ### Core concepts
@@ -257,7 +261,7 @@ curl -X GET "http://localhost:3000/?ids=1
 
 You can also specify a custom schema validator for each parameter type (body, querystring, params, headers).
 
-For example, the following code disable type cohercion only for the `body` parameters, changing the ajv default options:
+For example, the following code disable type coercion only for the `body` parameters, changing the ajv default options:
 
 ```js
 const schemaCompilers = {
@@ -642,6 +646,7 @@ fastify.setErrorHandler(function (error, request, reply) {
 ```
 
 If you want custom error response in schema without headaches and quickly, you can take a look at [`ajv-errors`](https://github.com/epoberezkin/ajv-errors). Check out the [example](https://github.com/fastify/example/blob/HEAD/validation-messages/custom-errors-messages.js) usage.
+> Make sure to install version 1.0.1 of `ajv-errors`, because later versions of it are not compatible with AJV v6 (the version shipped by Fastify v3).
 
 Below is an example showing how to add **custom error messages for each property** of a schema by supplying custom AJV options.
 Inline comments in the schema below describe how to configure it to show a different error message for each case:
@@ -649,7 +654,10 @@ Inline comments in the schema below describe how to configure it to show a diffe
 ```js
 const fastify = Fastify({
   ajv: {
-    customOptions: { jsonPointers: true },
+    customOptions: {
+      jsonPointers: true,
+      allErrors: true // Warning: Enabling this option may lead to this security issue https://www.cvedetails.com/cve/CVE-2020-8192/
+    },
     plugins: [
       require('ajv-errors')
     ]

package/fastify.d.ts

@@ -15,6 +15,8 @@ import { FastifySchemaValidationError } from './types/schema'
 import { ConstructorAction, ProtoAction } from "./types/content-type-parser";
 import { Socket } from 'net'
 import { Options as FJSOptions } from 'fast-json-stringify'
+import { ValidatorCompiler } from '@fastify/ajv-compiler'
+import { FastifySerializerCompiler } from './types/schema';
 
 /**
  * Fastify factory function for the standard fastify http, https, or http2 server instance.
@@ -95,6 +97,8 @@ export type FastifyServerOptions<
   ignoreTrailingSlash?: boolean,
   connectionTimeout?: number,
   keepAliveTimeout?: number,
+  maxRequestsPerSocket?: number,
+  requestTimeout?: number,
   pluginTimeout?: number,
   bodyLimit?: number,
   maxParamLength?: number,
@@ -126,6 +130,17 @@ export type FastifyServerOptions<
   constraints?: {
     [name: string]: ConstraintStrategy<FindMyWayVersion<RawServer>, unknown>,
   },
+  schemaController?: {
+    bucket?: (parentSchemas?: unknown) => {
+      addSchema(schema: unknown): FastifyInstance;
+      getSchema(schemaId: string): unknown;
+      getSchemas(): Record<string, unknown>;
+    };
+    compilersFactory?: {
+      buildValidator?: ValidatorCompiler;
+      buildSerializer?: (externalSchemas: unknown, serializerOptsServerOption: FastifyServerOptions["serializerOpts"]) => FastifySerializerCompiler<unknown>;
+    };
+  };
   return503OnClosing?: boolean,
   ajv?: {
     customOptions?: AjvOptions,

package/fastify.js

@@ -132,6 +132,8 @@ function fastify (options) {
   // Update the options with the fixed values
   options.connectionTimeout = options.connectionTimeout || defaultInitOptions.connectionTimeout
   options.keepAliveTimeout = options.keepAliveTimeout || defaultInitOptions.keepAliveTimeout
+  options.maxRequestsPerSocket = options.maxRequestsPerSocket || defaultInitOptions.maxRequestsPerSocket
+  options.requestTimeout = options.requestTimeout || defaultInitOptions.requestTimeout
   options.logger = logger
   options.genReqId = genReqId
   options.requestIdHeader = requestIdHeader
@@ -420,7 +422,7 @@ function fastify (options) {
   // If the server is not ready yet, this
   // utility will automatically force it.
   function inject (opts, cb) {
-    // lightMyRequest is dynamically laoded as it seems very expensive
+    // lightMyRequest is dynamically loaded as it seems very expensive
     // because of Ajv
     if (lightMyRequest === undefined) {
       lightMyRequest = require('light-my-request')