Skip to content

Server boostrap.ts: make forbidNonWhitelisted false #348

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AdamFipke wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Server boostrap.ts: make forbidNonWhitelisted false #348

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
180be56
remove second addGlobalsToApp and make forbidNonWhitelisted false
AdamFipke Aug 11, 2025
6d4b21e
update the one test that actually checked for bad body
AdamFipke Aug 12, 2025
07c3d26
fix test
AdamFipke Aug 12, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 18 additions & 2 deletions packages/server/src/bootstrap.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,6 @@ export async function bootstrap(hot: any): Promise<void> {
);
}

addGlobalsToApp(app);
app.setGlobalPrefix('api/v1');
app.use(morgan('dev'));
app.use(bodyParser.json({ limit: '50mb' }));
Expand Down Expand Up @@ -69,9 +68,26 @@ export async function bootstrap(hot: any): Promise<void> {
// Global settings that should be true in prod and in integration tests
export function addGlobalsToApp(app: INestApplication): void {
app.useGlobalPipes(
// Y'know all of our classes with decorators inside common/index.ts?
// Those are known as DTOs and we put them on our endpoints,
// and this ValidationPipe will validate the bodies so that whatever the frontend sends
// will match the DTOs. This prevents the frontend from sending bad data to the backend (very very important).
new ValidationPipe({
// This will turn our DTOs into essentially a "whitelist", where any properties
// that are in the object passed to the endpoint but are not inside the DTO are not allowed.
// By default, this will DROP any properties that are not in the DTO (unless forbidNonWhitelisted is true).
whitelist: true,
forbidNonWhitelisted: true,
// This controls whether or not we want to throw an error to the frontend if the body
// has properties that are not in the DTO.
// Having this false may result in some hidden errors, where you may try to pass something
// to the backend just for it to mysteriously disappear.
// But having this true may result in actual annoying errors for our users if for some reason
// we were to mess up our frontend and call our backend with bad data.
// So there's tradeoffs either way.
forbidNonWhitelisted: false,
// This will automatically transform the body to the DTO types.
// Over HTTP, the whole body and properties are a string so this will automatically
// transform them into numbers, booleans, other objects, etc.
transform: true,
}),
);
Expand Down
6 changes: 5 additions & 1 deletion packages/server/test/question.integration.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1081,7 +1081,11 @@ describe('Question Integration', () => {
name: ta.name,
},
})
.expect(400);
.expect(200); // the taHelped should have gotten dropped automatically

// fetch the question from the DB to make sure it wasn't updated
const question = await QuestionModel.findOne({ where: { id: q.id } });
expect(question.taHelped).toBeUndefined();
});
it('PATCH status to helping as student not allowed', async () => {
const course = await CourseFactory.create();
Expand Down