feat: coerce query object with schema

[jannyHou]

Connect to #4992

Filter with non-string properties like ?filter[fields][name]=false are not coerced, so false turns to be 'false'. This PR applies coercion for parameter query.

Checklist

👉 Read and sign the CLA (Contributor License Agreement) 👈

• npm test passes on your machine
• New tests added or existing tests modified to cover all changes
• Code conforms with the style guide
• API Documentation in code was updated
• Documentation in /docs/site was updated
• Affected artifact templates in packages/cli were updated
• Affected example projects in examples/* were updated

👉 Check out how to submit a PR 👈

[agnes512]

Do we want to add fields filter to this test case? You might want to remove the comment above as it is fixed.

[jannyHou]

@agnes512 I started adding feature by manually verify the field filter in todo app, so the fields filter does work.

where: {active: true}
and
fields: {name: true}
doesn't make any difference for testing purpose, so I would say the current test is good enough to cover our case(field filter) :p

[agnes512]

Oh I mentioned it because I remember when I was testing it, it works for where for some reasons 😂

[jannyHou]

@agnes512 I removed my change and tested with todo app, filter ?[where][isComplete]=false does return correct result for some reason, weird.

But the filter it self is not coerced, see my screenshot in:

isComplete is "false" not false.

I need more time to investigate the reason, but the updated test case here should be correct. For the parameter coerce function, it wouldn't make sense if

where: {active: true} get coerced while fields: {name: true} not.

[raymondfeng]

It's a bit concerning that we hard-code the instantiation of Ajv here. We typically want to inject the ajv options.

[jannyHou]

@raymondfeng The ajv here is not used for validation, but for coercion purpose, I know this sounds a bit weird, but I couldn't find a better&simpler way to coerce based on schema.

See ajv doc in https://github.com/ajv-validator/ajv#coercing-data-types

If you search options in file coerce parameter, there is no options available for coercing object.

[raymondfeng]

We should add an optional options parameter for coerceParameter. Its main usage is in parse.ts which has access to the configuration.

[jannyHou]

@raymondfeng Let me submit another PR or at least a separate commit for options.

[raymondfeng]

Please use import instead of require.

[raymondfeng]

We should not create the Ajv instance per call. It's fairly expensive.

[jannyHou]

True, I refactored to use one global instance. Or should I use a singleton scope provider instead?

[raymondfeng]

See more details at #1757. The compile call is probably the most expensive one.

[raymondfeng]

We probably have to maintain a weak map (schema -> ajv).

[raymondfeng]

We have an AjvFactory being injected and it's available via options.

[bajtos]

IIUC, the observed behavior is caused by the fact that we are not validating non-body parameters yet, see #1573 and linked PRs that attempted to solve that, but were never finished.

Instead of trying to add coercion-only step and having to deal with problems like how to obtain the AJV instance in a way that's consistent with the existing REST-layer validations, can we please implement proper validation of all non-body parameters and thus get coercion for "free"?

Even though my old TODO comment says coerceObject should take into account spec.schema, I think it maybe better to keep coerce-parameter implementation schema-less and leave it up to the validation step to perform additional coercion as needed.

[bajtos]

validateValueAgainstSchema throws an error when AJV validation fails. Is it ok for coerceObject to throw validation errors?

validateValueAgainstSchema prints debug logs referring to request body. If we are going to use validateValueAgainstSchema for non-body parameters (which consider as a good idea), then the debug logs need to be updated accordingly.

We should also take a look at the validation errors produced for non-body parameters and make sure they provide enough information about which parameter failed the validation.

Another aspect to consider: should we report the first validation error only (I think that's the current design)? IMO, it's easier for users when all errors are reported at once. A possible solution for this is to build a "composite" object from all parameters (e.g. {filter: <value from query string>, authorization: <value from headers>}), a "composite" schema from Operation Object, and then call AJV only once. I think this way the error messages will include the parameter name ("filter", "authorization") as part of the description (path to the property with a wrong value).

[raymondfeng]

Having an aggregated schema that stitches all incoming params (including the body) is an interesting idea that we should explore. But let's leave it out of scope for this PR.

[jannyHou]

Having an aggregated schema that stitches all incoming params (including the body) is an interesting idea that we should explore.

@bajtos @raymondfeng Thanks for suggestion, I also tend to create a separate story for it. In this PR, I turned validateValueAgainstSchema a generic function that validates any value:

• rename 1st parameter: data --> value
• ValueValidationOptions extends RequestBodyValidationOptions with one more property position
• throws invalid request body error when position is 'body', throws invalid data error otherwise.

The new story can create a new rest http error for other invalid data.
WDYT?

[jannyHou]

creating the follow-up story, post here soon.

[bajtos]

Please preserve the "notice" comment and update it to describe (point out) the new behavior.

[bajtos]

On the second though, I think we should preserve the current test as-is to describe how are schema-less values handled, and add a new test to verify how does schema-based coercion work.

[jannyHou]

I think we should preserve the current test as-is to describe how are schema-less values handled, and add a new test to verify how does schema-based coercion work.

Good point, I will edit the test.

[bajtos]

Building on top of my previous comments, perhaps this is the place where to call validation?

Suggested change

	const coercedValue = await coerceParameter(rawValue, spec);
	const coercedValue = coerceParameter(rawValue, spec);
	const finalValue = await validateParameterValue(rawValue, spec);
	paramArgs.push(finalValue);

(Of course, this will not help with collecting all validation error together and other aspects mentioned in my other comments, but it may be good enough as a short-term fix.)

[bajtos]

We have also access to globalSchemas and options here, which is needed to resolve {$ref} schemas and use the same AJV factory as the request body validator does.

Suggested change

	const coercedValue = await coerceParameter(rawValue, spec);
	const coercedValue = await coerceParameter(rawValue, spec);
	const coercedValue = coerceParameter(rawValue, spec);
	const finalValue = await validateParameterValue(rawValue, spec, globalSchemas, options);
	paramArgs.push(finalValue);

[jannyHou]

Thanks @bajtos I tried calling validateValueAgainstSchema in the new place, and got 20+ test failures. This story is to coerce the object based on schema, but coerceParameter handles all types, and same to validateValueAgainstSchema if I call it after coerceParameter.

I am a bit reluctant to investigate and verify why other types fail, and considering schema is usually used for object, can we deal with other types next time?

[raymondfeng]

Let's change the reference to body with a generic one, such as value.

[jannyHou]

done.

[agnes512]

Not sure what validateValueAgainstSchema does but the rest LGTM 👍