136/sanitize returned api data #373
Conversation
| firstName: string; | ||
| last_name: string; | ||
| @Expose() | ||
| last_name?: string; |
There was a problem hiding this comment.
Do you think it's worth to add a migration to update field names to follow a naming convention with camel-case instead of snake-case, or vice-versa? I think my preference is camelCase as it aligns with the front-end, but I'm not sure what is more common with Node/Nest.js?
There was a problem hiding this comment.
That's a good point. This was done, I believe to make table column names conform to the Postgres standard, but there should be a way to tell Typeorm to use camel case in JS.
| return UseInterceptors(new SerializeInterceptor(dto)); | ||
| }; | ||
|
|
||
| export class SerializeInterceptor implements NestInterceptor { |
There was a problem hiding this comment.
Is an interceptor similar to a middleware? (I should go to the link and read up on class-transformer :D)
There was a problem hiding this comment.
In class-transformer documentation, it looks like we may also need reflect-metadata and don't see it as a dependency.
There was a problem hiding this comment.
It's satisfied by the nestjs/common peer dependencies, which uses it as well.
There was a problem hiding this comment.
Is an interceptor similar to a middleware?
In NestJs an interceptor is middle-ware. In this specific case, we're chaining a class-transformer operation on the outgoing handler response. It's applied to any handler (controller method) using the UseInterceptors(new SerializeInterceptor(dto)) decorator, but in our case, I just wrapped it in a shorter decorator MapTo.
| try { | ||
| const hashedPw = await bcrypt.hash(createUserDto.password, parseInt(BCRYPT_WORK_FACTOR)); | ||
| createUserDto.password = hashedPw; | ||
| const user = await this.usersRepository.save(createUserDto); | ||
| delete user.password; |
There was a problem hiding this comment.
I've verified locally that password is not included in the returned payload even with this line removed. I'm not 100% clear on how this is happening, so describing here what I think is going on. In UsersService.create method, we've replaced ReturnUserDto as the output type with User, but in the controller, we use annotation @MapTo(ReturnUserDto), which I'm assuming is doing the sanitizing. Since password is not one of the properties of ReturnUserDto, what does the @Expose() annotation do and why do we use it?
There was a problem hiding this comment.
Yes, in a way. changing the return type actually has no bearing on the returned data (thanks to Javascript). Thankfully, class-transformer is very good at this. The class-transformer interceptor is getting set to
return plainToInstance(this.dto, data, {
excludeExtraneousValues: true,
strategy: 'excludeAll',
});The excludeAll strategy means that any ReturnDto property not decorated with Expose will be removed from the response.
There was a problem hiding this comment.
I went with excludeAll so that we have to explicitly list all the data we want to expose, but we can change it if it becomes to cumbersome.
Dev Summary
Changes:
class-transformerannotations to explicitly expose what we want to expose on data going out.registerendpoint.Test Plan
repro steps:
See the the test that verifies the password isn't returned:
web-app/server/test/account-manager/account-manager.controller.e2e-spec.ts
Line 87 in 50b1240
Resources