fastify 3.22.0 → 3.24.0

package/build/build-validation.js

@@ -16,6 +16,7 @@ const defaultInitOptions = {
   connectionTimeout: 0, // 0 sec
   keepAliveTimeout: 5000, // 5 sec
   maxRequestsPerSocket: 0, // no limit
+  requestTimeout: 0, // no limit
   bodyLimit: 1024 * 1024, // 1 MiB
   caseSensitive: true,
   disableRequestLogging: false,
@@ -49,6 +50,7 @@ const schema = {
     connectionTimeout: { type: 'integer', default: defaultInitOptions.connectionTimeout },
     keepAliveTimeout: { type: 'integer', default: defaultInitOptions.keepAliveTimeout },
     maxRequestsPerSocket: { type: 'integer', default: defaultInitOptions.maxRequestsPerSocket, nullable: true },
+    requestTimeout: { type: 'integer', default: defaultInitOptions.requestTimeout },
     bodyLimit: { type: 'integer', default: defaultInitOptions.bodyLimit },
     caseSensitive: { type: 'boolean', default: defaultInitOptions.caseSensitive },
     http2: { type: 'boolean' },

package/build/sync-version.js

@@ -0,0 +1,11 @@
+'use strict'
+
+const fs = require('fs')
+const path = require('path')
+
+// package.json:version -> fastify.js:VERSION
+const { version } = JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json')).toString('utf8'))
+
+const fastifyJs = path.join(__dirname, '..', 'fastify.js')
+
+fs.writeFileSync(fastifyJs, fs.readFileSync(fastifyJs).toString('utf8').replace(/const\s*VERSION\s*=.*/, `const VERSION = '${version}'`))

package/docs/Getting-Started.md

@@ -363,6 +363,20 @@ fastify.get('/', opts, async (request, reply) => {
 By specifying a schema as shown, you can speed up serialization by a factor of 2-3. This also helps to protect against leakage of potentially sensitive data, since Fastify will serialize only the data present in the response schema.
 Read [Validation and Serialization](Validation-and-Serialization.md) to learn more.
 
+<a name="request-payload"></a>
+### Parsing request payloads
+Fastify parses `'application/json'` and `'text/plain'` request payloads natively, with the result accessible from the [Fastify request](Request.md) object at `request.body`.<br>
+The following example returns the parsed body of a request back to the client:
+
+```js
+const opts = {}
+fastify.post('/', opts, async (request, reply) => {
+  return request.body
+})
+```
+
+Read [Content Type Parser](ContentTypeParser.md) to learn more about Fastify's default parsing functionality and how to support other content types.
+
 <a name="extend-server"></a>
 ### Extend your server
 Fastify is built to be extremely extensible and minimal, we believe that a bare-bones framework is all that is necessary to make great applications possible.<br>

package/docs/Hooks.md

@@ -222,7 +222,7 @@ fastify.addHook('onTimeout', async (request, reply) => {
   await asyncMethod()
 })
 ```
-`onTimeout` is useful if you need to monitor the request timed out in your service (if the `connectionTimeout` property is set on the Fastify instance). The `onTimeout` hook is executed when a request is timed out and the HTTP socket has been hanged up. Therefore ,you will not be able to send data to the client.
+`onTimeout` is useful if you need to monitor the request timed out in your service (if the `connectionTimeout` property is set on the Fastify instance). The `onTimeout` hook is executed when a request is timed out and the HTTP socket has been hanged up. Therefore, you will not be able to send data to the client.
 
 
 ### Manage Errors from a hook

package/docs/Recommendations.md

@@ -166,62 +166,94 @@ backend static-backend
 ### Nginx
 
 ```nginx
+# This upstream block groups 3 servers into one named backend fastify_app
+# with 2 primary servers distributed via round-robin
+# and one backup which is used when the first 2 are not reachable
+# This also assumes your fastify servers are listening on port 80.
+# more info: http://nginx.org/en/docs/http/ngx_http_upstream_module.html
 upstream fastify_app {
-  # more info: http://nginx.org/en/docs/http/ngx_http_upstream_module.html
   server 10.10.11.1:80;
   server 10.10.11.2:80;
   server 10.10.11.3:80 backup;
 }
 
+# This server block asks NGINX to respond with a redirect when
+# an incoming request from port 80 (typically plain HTTP), to 
+# the same request URL but with HTTPS as protocol.
+# This block is optional, and usually used if you are handling
+# SSL termination in NGINX, like in the example here.
 server {
-  # default server
+  # default server is a special parameter to ask NGINX
+  # to set this server block to the default for this address/port
+  # which in this case is any address and port 80
   listen 80 default_server;
   listen [::]:80 default_server;
   
-  # specify host
+  # With a server_name directive you can also ask NGINX to
+  # use this server block only with matching server name(s)
   # listen 80;
   # listen [::]:80;
   # server_name example.tld;
 
+  # This matches all paths from the request and responds with
+  # the redirect mentioned above.
   location / {
     return 301 https://$host$request_uri;
   }
 }
 
+# This server block asks NGINX to respond to requests from
+# port 443 with SSL enabled and accept HTTP/2 connections.
+# This is where the request is then proxied to the fastify_app
+# server group via port 3000.
 server {
-  # default server
+  # This listen directive asks NGINX to accept requests
+  # coming to any address, port 443, with SSL, and HTTP/2
+  # if possible.
   listen 443 ssl http2 default_server;
   listen [::]:443 ssl http2 default_server;
-  
-  # specify host
+
+  # With a server_name directive you can also ask NGINX to
+  # use this server block only with matching server name(s)
   # listen 443 ssl http2;
   # listen [::]:443 ssl http2;
   # server_name example.tld;
 
-  # public private keys
+  # Your SSL/TLS certificate (chain) and secret key in the PEM format
   ssl_certificate /path/to/fullchain.pem;
   ssl_certificate_key /path/to/private.pem;
-  ssl_trusted_certificate /path/to/chain.pem;
 
-  # use https://ssl-config.mozilla.org/ for best practice configuration
+  # A generic best practice baseline for based
+  # on https://ssl-config.mozilla.org/
   ssl_session_timeout 1d;
   ssl_session_cache shared:FastifyApp:10m;
   ssl_session_tickets off;
-  
-  # modern configuration
+
+  # This tells NGINX to only accept TLS 1.3, which should be fine
+  # with most modern browsers including IE 11 with certain updates.
+  # If you want to support older browsers you might need to add
+  # additional fallback protocols.
   ssl_protocols TLSv1.3;
   ssl_prefer_server_ciphers off;
-  
-  # HSTS (ngx_http_headers_module is required) (63072000 seconds)
+
+  # This adds a header that tells browsers to only ever use HTTPS
+  # with this server.
   add_header Strict-Transport-Security "max-age=63072000" always;
-  
-  # OCSP stapling
+
+  # The following directives are only necessary if you want to
+  # enable OCSP Stapling.
   ssl_stapling on;
   ssl_stapling_verify on;
+  ssl_trusted_certificate /path/to/chain.pem;
 
-  # custom resolver
+  # Custom nameserver to resolve upstream server names
   # resolver 127.0.0.1;
-      
+
+  # This section matches all paths and proxies it to the backend server
+  # group specified above. Note the additional headers that forward
+  # information about the original request. You might want to set
+  # trustProxy to the address of your NGINX server so the X-Forwarded
+  * fields are used by fastify.
   location / {
     # more info: http://nginx.org/en/docs/http/ngx_http_proxy_module.html
     proxy_http_version 1.1;
@@ -232,8 +264,12 @@ server {
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
-    
-    proxy_pass http://fastify_app:3000;
+
+    # This is the directive that proxies requests to the specified server.
+    # If you are using an upstream group, then you do not need to specify a port.
+    # If you are directly proxying to a server e.g.
+    # proxy_pass http://127.0.0.1:3000 then specify a port.
+    proxy_pass http://fastify_app;
   }
 }
 ```

package/docs/Request.md

@@ -4,7 +4,7 @@
 The first parameter of the handler function is `Request`.<br>
 Request is a core Fastify object containing the following fields:
 - `query` - the parsed querystring, its format is specified by [`querystringParser`](Server.md#querystringparser)
-- `body` - the body
+- `body` - the request payload, see [Content Type Parser](ContentTypeParser.md) for details on what request payloads Fastify natively parses and how to support other content types
 - `params` - the params matching the URL
 - [`headers`](#headers) - the headers getter and setter
 - `raw` - the incoming HTTP request from Node core

package/docs/Routes.md

@@ -50,6 +50,8 @@ They need to be in
 * `preSerialization(request, reply, payload, done)`: a [function](Hooks.md#preserialization) called just before the serialization, it could also be an array of functions.
 * `onSend(request, reply, payload, done)`: a [function](Hooks.md#route-hooks) called right before a response is sent, it could also be an array of functions.
 * `onResponse(request, reply, done)`: a [function](Hooks.md#onresponse) called when a response has been sent, so you will not be able to send more data to the client. It could also be an array of functions.
+* `onTimeout(request, reply, done)`: a [function](Hooks.md#ontimeout) called when a request is timed out and the HTTP socket has been hanged up.
+* `onError(request, reply, error, done)`: a [function](Hooks.md#onerror) called when an Error is thrown or send to the client by the route handler.
 * `handler(request, reply)`: the function that will handle this request. The [Fastify server](Server.md) will be bound to `this` when the handler is called. Note: using an arrow function will break the binding of `this`.
 * `errorHandler(error, request, reply)`: a custom error handler for the scope of the request. Overrides the default error global handler, and anything set by [`setErrorHandler`](Server.md#setErrorHandler), for requests to the route. To access the default handler, you can access `instance.errorHandler`. Note that this will point to fastify's default `errorHandler` only if a plugin hasn't overridden it already.
 * `validatorCompiler({ schema, method, url, httpPart })`: function that builds schemas for request validations. See the [Validation and Serialization](Validation-and-Serialization.md#schema-validator) documentation.

package/docs/Server.md

@@ -13,6 +13,7 @@ document describes the properties available in that options object.
 - [connectionTimeout](./Server.md#connectiontimeout)
 - [keepAliveTimeout](./Server.md#keepalivetimeout)
 - [maxRequestsPerSocket](./Server.md#maxRequestsPerSocket)
+- [requestTimeout](./Server.md#requestTimeout)
 - [ignoreTrailingSlash](./Server.md#ignoretrailingslash)
 - [maxParamLength](./Server.md#maxparamlength)
 - [onProtoPoisoning](./Server.md#onprotopoisoning)
@@ -94,6 +95,17 @@ is in use. Also, when `serverFactory` option is specified, this option is ignore
 
 + Default: `0` (no limit)
 
+<a name="factory-request-timeout"></a>
+### `requestTimeout`
+
+Defines the maximum number of milliseconds for receiving the entire request from the client.
+[`server.requestTimeout` property](https://nodejs.org/dist/latest/docs/api/http.html#http_server_requesttimeout)
+to understand the effect of this option. Also, when `serverFactory` option is specified, this option is ignored.
+It must be set to a non-zero value (e.g. 120 seconds) to protect against potential Denial-of-Service attacks in case the server is deployed without a reverse proxy in front.
+>  At the time of this writing, only node version greater or equal to 14.11.0 support this option. Check the Node.js documentation for availability in the version you are running.
+
++ Default: `0` (no limit)
+
 <a name="factory-ignore-slash"></a>
 ### `ignoreTrailingSlash`
 
@@ -480,7 +492,7 @@ Configure the Ajv v6 instance used by Fastify without providing a custom one.
 const fastify = require('fastify')({
   ajv: {
     customOptions: {
-      nullable: false // Refer to [ajv options](https://ajv.js.org/#options)
+      nullable: false // Refer to [ajv options](https://github.com/ajv-validator/ajv/tree/v6#options)
     },
     plugins: [
       require('ajv-merge-patch'),

package/docs/TypeScript.md

@@ -35,6 +35,9 @@ This example will get you up and running with Fastify and TypeScript. It results
     }
   }
   ```
+
+*Note: Set `target` property in `tsconfig.json` to `es2017` or greater to avoid [FastifyDeprecation](https://github.com/fastify/fastify/issues/3284) warning.*
+
 3. Initialize a TypeScript configuration file:
   ```bash
   npx tsc --init

package/docs/Validation-and-Serialization.md

@@ -10,6 +10,10 @@ Fastify uses a schema-based approach, and even if it is not mandatory we recomme
 > user-provided schemas. See [Ajv](https://npm.im/ajv) and
 > [fast-json-stringify](https://npm.im/fast-json-stringify) for more
 > details.
+> 
+> Moreover, the [`$async` Ajv feature](https://ajv.js.org/guide/async-validation.html) should not be used as part of the first validation strategy.
+> This option is used to access Databases and reading them during the validation process may lead to Denial of Service Attacks to your
+> application. If you need to run `async` tasks, use [Fastify's hooks](./Hooks.md) instead after validation completes, such as `preHandler`.
 
 
 ### Core concepts
@@ -257,7 +261,7 @@ curl -X GET "http://localhost:3000/?ids=1
 
 You can also specify a custom schema validator for each parameter type (body, querystring, params, headers).
 
-For example, the following code disable type cohercion only for the `body` parameters, changing the ajv default options:
+For example, the following code disable type coercion only for the `body` parameters, changing the ajv default options:
 
 ```js
 const schemaCompilers = {
@@ -642,6 +646,7 @@ fastify.setErrorHandler(function (error, request, reply) {
 ```
 
 If you want custom error response in schema without headaches and quickly, you can take a look at [`ajv-errors`](https://github.com/epoberezkin/ajv-errors). Check out the [example](https://github.com/fastify/example/blob/HEAD/validation-messages/custom-errors-messages.js) usage.
+> Make sure to install version 1.0.1 of `ajv-errors`, because later versions of it are not compatible with AJV v6 (the version shipped by Fastify v3).
 
 Below is an example showing how to add **custom error messages for each property** of a schema by supplying custom AJV options.
 Inline comments in the schema below describe how to configure it to show a different error message for each case:
@@ -649,7 +654,10 @@ Inline comments in the schema below describe how to configure it to show a diffe
 ```js
 const fastify = Fastify({
   ajv: {
-    customOptions: { jsonPointers: true },
+    customOptions: {
+      jsonPointers: true,
+      allErrors: true // Warning: Enabling this option may lead to this security issue https://www.cvedetails.com/cve/CVE-2020-8192/
+    },
     plugins: [
       require('ajv-errors')
     ]

package/fastify.d.ts

@@ -15,6 +15,8 @@ import { FastifySchemaValidationError } from './types/schema'
 import { ConstructorAction, ProtoAction } from "./types/content-type-parser";
 import { Socket } from 'net'
 import { Options as FJSOptions } from 'fast-json-stringify'
+import { ValidatorCompiler } from '@fastify/ajv-compiler'
+import { FastifySerializerCompiler } from './types/schema';
 
 /**
  * Fastify factory function for the standard fastify http, https, or http2 server instance.
@@ -95,6 +97,8 @@ export type FastifyServerOptions<
   ignoreTrailingSlash?: boolean,
   connectionTimeout?: number,
   keepAliveTimeout?: number,
+  maxRequestsPerSocket?: number,
+  requestTimeout?: number,
   pluginTimeout?: number,
   bodyLimit?: number,
   maxParamLength?: number,
@@ -126,6 +130,17 @@ export type FastifyServerOptions<
   constraints?: {
     [name: string]: ConstraintStrategy<FindMyWayVersion<RawServer>, unknown>,
   },
+  schemaController?: {
+    bucket?: (parentSchemas?: unknown) => {
+      addSchema(schema: unknown): FastifyInstance;
+      getSchema(schemaId: string): unknown;
+      getSchemas(): Record<string, unknown>;
+    };
+    compilersFactory?: {
+      buildValidator?: ValidatorCompiler;
+      buildSerializer?: (externalSchemas: unknown, serializerOptsServerOption: FastifyServerOptions["serializerOpts"]) => FastifySerializerCompiler<unknown>;
+    };
+  };
   return503OnClosing?: boolean,
   ajv?: {
     customOptions?: AjvOptions,

package/fastify.js

@@ -1,11 +1,11 @@
 'use strict'
 
+const VERSION = '3.24.0'
+
 const Avvio = require('avvio')
 const http = require('http')
 const querystring = require('querystring')
 let lightMyRequest
-let version
-let versionLoaded = false
 
 const {
   kAvvioBoot,
@@ -133,6 +133,7 @@ function fastify (options) {
   options.connectionTimeout = options.connectionTimeout || defaultInitOptions.connectionTimeout
   options.keepAliveTimeout = options.keepAliveTimeout || defaultInitOptions.keepAliveTimeout
   options.maxRequestsPerSocket = options.maxRequestsPerSocket || defaultInitOptions.maxRequestsPerSocket
+  options.requestTimeout = options.requestTimeout || defaultInitOptions.requestTimeout
   options.logger = logger
   options.genReqId = genReqId
   options.requestIdHeader = requestIdHeader
@@ -325,12 +326,7 @@ function fastify (options) {
       get () { return this[kSchemaController].getSerializerCompiler() }
     },
     version: {
-      get () {
-        if (versionLoaded === false) {
-          version = loadVersion()
-        }
-        return version
-      }
+      get () { return VERSION }
     },
     errorHandler: {
       get () {
@@ -421,7 +417,7 @@ function fastify (options) {
   // If the server is not ready yet, this
   // utility will automatically force it.
   function inject (opts, cb) {
-    // lightMyRequest is dynamically laoded as it seems very expensive
+    // lightMyRequest is dynamically loaded as it seems very expensive
     // because of Ajv
     if (lightMyRequest === undefined) {
       lightMyRequest = require('light-my-request')
@@ -635,7 +631,8 @@ function fastify (options) {
   function setSchemaController (schemaControllerOpts) {
     throwIfAlreadyStarted('Cannot call "setSchemaController" when fastify instance is already started!')
     const old = this[kSchemaController]
-    const schemaController = SchemaController.buildSchemaController(old.parent, Object.assign({}, old.opts, schemaControllerOpts))
+    const parent = old.parent || old
+    const schemaController = SchemaController.buildSchemaController(parent, Object.assign({}, old.opts, schemaControllerOpts))
     this[kSchemaController] = schemaController
     this.getSchema = schemaController.getSchema.bind(schemaController)
     this.getSchemas = schemaController.getSchemas.bind(schemaController)
@@ -691,20 +688,6 @@ function wrapRouting (httpHandler, { rewriteUrl, logger }) {
   }
 }
 
-function loadVersion () {
-  versionLoaded = true
-  const fs = require('fs')
-  const path = require('path')
-  try {
-    const pkgPath = path.join(__dirname, 'package.json')
-    fs.accessSync(pkgPath, fs.constants.R_OK)
-    const pkg = JSON.parse(fs.readFileSync(pkgPath))
-    return pkg.name === 'fastify' ? pkg.version : undefined
-  } catch (e) {
-    return undefined
-  }
-}
-
 /**
  * These export configurations enable JS and TS developers
  * to consumer fastify in whatever way best suits their needs.