h3-typebox's Introduction

h3-typebox

JSON schema validation for h3, using typebox & ajv.

Install

# Using npm
npm install h3-typebox

# Using yarn
yarn install h3-typebox

# Using pnpm
pnpm install h3-typebox

Usage

import { createServer } from 'http'
import { createApp } from 'h3'
import { validateBody, validateQuery, Type } from 'h3-typebox'

const app = createApp()
app.use('/', async (event) => {
  // Validate body
  const body = await validateBody(event, Type.Object({
    optional: Type.Optional(Type.String()),
    required: Type.Boolean(),
  }))

  // Validate query
  const query = validateQuery(event, Type.Object({
    required: Type.String(),
  }))
})

createServer(app).listen(process.env.PORT || 3000)

See how to define your schema with Type on TypeBox documentation.

Options

You can define a options object on validateBody or validateQuery. Currently the following options are supported:

includeAjvFormats: Boolean

includeAjvFormats

Some formats like date, date-time or email are specified in the current JSONSchema draft, but not included in ajv by default, but provided by the ajv-formats package. If one of these formats is needed, you can specify includeAjvFormats: true in the options of validateBody or validateQuery like this:

// Body
validateBody(event, schema, { includeAjvFormats: true })

// Query
validateQuery(event, schema, { includeAjvFormats: true })

Currently, only the following extended formats are supported for performance and security reasons:

date-time
time
date
email
uri
uri-reference

These can be used by custom schemas with the Type.Unsafe method or with an inline schema:

const bodySchema = Type.Object({
  optional: Type.Optional(Type.String()),
  dateTime: Type.String({ format: 'date-time' })
})
validateBody(event, bodySchema, { includeAjvFormats: true })

Development 💻

Clone this repository
Install dependencies using pnpm install
Run interactive tests using pnpm dev

License

Made with 💙

Published under MIT License.

h3-typebox's People

Contributors

Stargazers

Watchers

h3-typebox's Issues

Fix failing builds with current nitro version

A current nitro project cannot be compiled because of the dependency to h3 0.7.21. h3 had breaking chages with 0.8.0, which leads to compilation errors:

import { eventHandler, setHeaders, sendRedirect, defineEventHandler, handleCacheHeaders, createEvent, getRequestHeader, createError, createApp, createRouter as createRouter$1, lazyEventHandler, toNodeListener } from 'h3';
                                                                                                                                                                                                   ^^^^^^^^^^^^^^
SyntaxError: The requested module 'h3' does not provide an export named 'toNodeListener'

We should at least update the dependency to 0.8.0 and continuously update the h3 dependency until it reaches 1.0.0 in CI/CD. Maybe add renovate to stay up to date?

PS: @kevinmarrec can you add the hacktoberfest label to the repo? Contributions can then be added to the contributors hacktoberfest score :)

Code generation from strings disallowed for this context

When running validateBody (probably also the other helpers), it throws an error in production on vercel-edge (cloudflare workers). Most likely because they restrict certain JavaScript functions like eval(), new Function(), setTimeout([string]), and setInterval([string]), which can execute code generated from strings.

I'm not sure why these functions are needed but it would be better to avoid them.

0.6.0 - Missing types exports

Verify for only allowed fields

Hey @kevinmarrec,
great h3 addition, I had no problems with using it so far. As I am pretty new to TypeBox, I wanted to ask, what the best way would be to make sure that only the provided fields are actually on the request?
From a security perspective, it is discussable, but sometimes you want to have paramA, paramB and paramC as query parameter and used validateQuery to define them as string (what query strings always are). If a user now queries the url with paramX, it will not throw an error, as the field will not be verified by typebox.
Is there any way to handle a catch all for all parameters/body entries that are not part of the schema or is this something you would implement in nitro natively?

Recommend Projects

kevinmarrec / h3-typebox Goto Github PK