fastify 3.22.1 → 3.23.0

package/build/build-validation.js

@@ -16,6 +16,7 @@ const defaultInitOptions = {
   connectionTimeout: 0, // 0 sec
   keepAliveTimeout: 5000, // 5 sec
   maxRequestsPerSocket: 0, // no limit
+  requestTimeout: 0, // no limit
   bodyLimit: 1024 * 1024, // 1 MiB
   caseSensitive: true,
   disableRequestLogging: false,
@@ -49,6 +50,7 @@ const schema = {
     connectionTimeout: { type: 'integer', default: defaultInitOptions.connectionTimeout },
     keepAliveTimeout: { type: 'integer', default: defaultInitOptions.keepAliveTimeout },
     maxRequestsPerSocket: { type: 'integer', default: defaultInitOptions.maxRequestsPerSocket, nullable: true },
+    requestTimeout: { type: 'integer', default: defaultInitOptions.requestTimeout },
     bodyLimit: { type: 'integer', default: defaultInitOptions.bodyLimit },
     caseSensitive: { type: 'boolean', default: defaultInitOptions.caseSensitive },
     http2: { type: 'boolean' },

package/docs/Server.md

@@ -13,6 +13,7 @@ document describes the properties available in that options object.
 - [connectionTimeout](./Server.md#connectiontimeout)
 - [keepAliveTimeout](./Server.md#keepalivetimeout)
 - [maxRequestsPerSocket](./Server.md#maxRequestsPerSocket)
+- [requestTimeout](./Server.md#requestTimeout)
 - [ignoreTrailingSlash](./Server.md#ignoretrailingslash)
 - [maxParamLength](./Server.md#maxparamlength)
 - [onProtoPoisoning](./Server.md#onprotopoisoning)
@@ -94,6 +95,17 @@ is in use. Also, when `serverFactory` option is specified, this option is ignore
 
 + Default: `0` (no limit)
 
+<a name="factory-request-timeout"></a>
+### `requestTimeout`
+
+Defines the maximum number of milliseconds for receiving the entire request from the client.
+[`server.requestTimeout` property](https://nodejs.org/dist/latest/docs/api/http.html#http_server_requesttimeout)
+to understand the effect of this option. Also, when `serverFactory` option is specified, this option is ignored.
+It must be set to a non-zero value (e.g. 120 seconds) to protect against potential Denial-of-Service attacks in case the server is deployed without a reverse proxy in front.
+>  At the time of this writing, only node version greater or equal to 14.11.0 support this option. Check the Node.js documentation for availability in the version you are running.
+
++ Default: `0` (no limit)
+
 <a name="factory-ignore-slash"></a>
 ### `ignoreTrailingSlash`
 
@@ -480,7 +492,7 @@ Configure the Ajv v6 instance used by Fastify without providing a custom one.
 const fastify = require('fastify')({
   ajv: {
     customOptions: {
-      nullable: false // Refer to [ajv options](https://ajv.js.org/#options)
+      nullable: false // Refer to [ajv options](https://github.com/ajv-validator/ajv/tree/v6#options)
     },
     plugins: [
       require('ajv-merge-patch'),

package/docs/Validation-and-Serialization.md

@@ -10,6 +10,10 @@ Fastify uses a schema-based approach, and even if it is not mandatory we recomme
 > user-provided schemas. See [Ajv](https://npm.im/ajv) and
 > [fast-json-stringify](https://npm.im/fast-json-stringify) for more
 > details.
+> 
+> Moreover, the [`$async` Ajv feature](https://ajv.js.org/guide/async-validation.html) should not be used as part of the first validation strategy.
+> This option is used to access Databases and reading them during the validation process may lead to Denial of Service Attacks to your
+> application. If you need to run `async` tasks, use [Fastify's hooks](./Hooks.md) instead after validation completes, such as `preHandler`.
 
 
 ### Core concepts
@@ -642,6 +646,7 @@ fastify.setErrorHandler(function (error, request, reply) {
 ```
 
 If you want custom error response in schema without headaches and quickly, you can take a look at [`ajv-errors`](https://github.com/epoberezkin/ajv-errors). Check out the [example](https://github.com/fastify/example/blob/HEAD/validation-messages/custom-errors-messages.js) usage.
+> Make sure to install version 1.0.1 of `ajv-errors`, because later versions of it are not compatible with AJV v6 (the version shipped by Fastify v3).
 
 Below is an example showing how to add **custom error messages for each property** of a schema by supplying custom AJV options.
 Inline comments in the schema below describe how to configure it to show a different error message for each case:
@@ -649,7 +654,10 @@ Inline comments in the schema below describe how to configure it to show a diffe
 ```js
 const fastify = Fastify({
   ajv: {
-    customOptions: { jsonPointers: true },
+    customOptions: {
+      jsonPointers: true,
+      allErrors: true // Warning: Enabling this option may lead to this security issue https://www.cvedetails.com/cve/CVE-2020-8192/
+    },
     plugins: [
       require('ajv-errors')
     ]

package/fastify.d.ts

@@ -97,6 +97,8 @@ export type FastifyServerOptions<
   ignoreTrailingSlash?: boolean,
   connectionTimeout?: number,
   keepAliveTimeout?: number,
+  maxRequestsPerSocket?: number,
+  requestTimeout?: number,
   pluginTimeout?: number,
   bodyLimit?: number,
   maxParamLength?: number,

package/fastify.js

@@ -133,6 +133,7 @@ function fastify (options) {
   options.connectionTimeout = options.connectionTimeout || defaultInitOptions.connectionTimeout
   options.keepAliveTimeout = options.keepAliveTimeout || defaultInitOptions.keepAliveTimeout
   options.maxRequestsPerSocket = options.maxRequestsPerSocket || defaultInitOptions.maxRequestsPerSocket
+  options.requestTimeout = options.requestTimeout || defaultInitOptions.requestTimeout
   options.logger = logger
   options.genReqId = genReqId
   options.requestIdHeader = requestIdHeader