-
Notifications
You must be signed in to change notification settings - Fork 893
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to correctly bind field value when using .Sensitive() method with Entgo and Golang Echo #3891
Comments
I don't believe you should be unmarshalling directly to an ent type -- as that bypasses various checks. You should have structs specifically for your HTTP methods that can then be used with Set() and similar. This will also ensure that if you add a field that you don't want the user to set, |
Thank you for your explanation, it’s very clear. I understand that Sensitive() means the field is not serializable, which is why Echo’s Bind() function can’t use it directly. I also understand that JSON doesn’t support one-way struct tags for marshalling vs unmarshalling, so there’s no way to have both. I agree with your point that I shouldn’t be unmarshalling directly to an ent type, as this bypasses various checks. I should create structs specifically for my HTTP methods that can then be used with Set() and similar. This will ensure that if I add a field that I don’t want the user to set, Bind() can’t be used maliciously to override those fields, thereby avoiding a future security risk. package main
import (
"github.com/labstack/echo/v4"
"net/http"
)
type User struct {
Username string `json:"-"`
Password string `json:"password"`
}
type UserDTO struct {
Username string `json:"username"`
Password string `json:"password"`
}
func main() {
e := echo.New()
e.POST("/users", func(c echo.Context) error {
u := new(UserDTO)
if err := c.Bind(u); err != nil {
return err
}
user := User{
Username: u.Username,
Password: u.Password,
}
// saveUser(user)
return c.JSON(http.StatusCreated, u)
})
e.Start(":8080")
} This code creates a UserDTO structure to receive json data transmitted from the front end. Then, we safely transmit this data to our User entity. In this way, we can effectively bind data while protecting sensitive information. Thanks again for your help! |
Current Behavior:
When defining a field with the .Sensitive() method in Entgo, the value of this field cannot be correctly bound to the entity.
Expected Behavior:
The value of the field should be correctly bound to the entity, even when the field is defined as sensitive.
Steps to Reproduce:
The length of u.Password is always 0, indicating that the value of the sensitive field has not been correctly bound.
To verify this issue, I conducted the following test:
Through this test, I can confirm that the request body indeed contains the value of the password field:
I hope to get some help to solve this problem. Thank you!
Runtime Environment:
The text was updated successfully, but these errors were encountered: