feat(rest): expose request body validation options to be configurable

Author: raymondfeng

docs/site/Extending-request-body-parsing.md

@@ -122,7 +122,10 @@ the following configuration:
   },
   text: {
     limit: '2MB'
-  }
+  },
+  // Validation options for AJV, see https://github.com/epoberezkin/ajv#options
+  // This setting is global for all request body parsers.
+  validation: {nullable: true},
 }
 ```
 

packages/rest/src/__tests__/acceptance/validation/validation.acceptance.ts

@@ -8,6 +8,7 @@ import {model, property} from '@loopback/repository';
 import {
   Client,
   createRestAppClient,
+  expect,
   givenHttpServerConfig,
 } from '@loopback/testlab';
 import {
@@ -16,7 +17,9 @@ import {
   jsonToSchemaObject,
   post,
   requestBody,
+  RequestBodyValidationOptions,
   RestApplication,
+  RestBindings,
   SchemaObject,
 } from '../../..';
 import {aBodySpec} from '../../helpers';
@@ -98,6 +101,57 @@ describe('Validation at REST level', () => {
     });
   });
 
+  context('with request body validation options', () => {
+    class ProductController {
+      @post('/products')
+      async create(
+        @requestBody({required: true}) data: Product,
+      ): Promise<Product> {
+        return new Product(data);
+      }
+    }
+
+    before(() =>
+      givenAnAppAndAClient(ProductController, {
+        nullable: false,
+        compiledSchemaCache: new WeakMap(),
+      }),
+    );
+    after(() => app.stop());
+
+    it('rejects requests with `null` with {nullable: false}', async () => {
+      const DATA = {
+        name: 'iPhone',
+        description: null,
+        price: 10,
+      };
+      const res = await client
+        .post('/products')
+        .send(DATA)
+        .expect(422);
+
+      expect(res.body).to.eql({
+        error: {
+          code: 'VALIDATION_FAILED',
+          details: [
+            {
+              code: 'type',
+              info: {
+                type: 'string',
+              },
+              message: 'should be string',
+              path: '.description',
+            },
+          ],
+          message:
+            'The request body is invalid. See error object `details` property for more info.',
+          name: 'UnprocessableEntityError',
+          statusCode: 422,
+        },
+      });
+    });
+  });
+
   // A request body schema can be provided explicitly by the user
   // as an inlined content[type].schema property.
   context('for fully-specified request body', () => {
@@ -245,8 +299,15 @@ describe('Validation at REST level', () => {
       .expect(422);
   }
 
-  async function givenAnAppAndAClient(controller: ControllerClass) {
+  async function givenAnAppAndAClient(
+    controller: ControllerClass,
+    validationOptions?: RequestBodyValidationOptions,
+  ) {
     app = new RestApplication({rest: givenHttpServerConfig()});
+    if (validationOptions)
+      app
+        .bind(RestBindings.REQUEST_BODY_PARSER_OPTIONS)
+        .to({validation: validationOptions});
     app.controller(controller);
     await app.start();
 

packages/rest/src/__tests__/unit/request-body.validator.test.ts

@@ -3,15 +3,14 @@
 // This file is licensed under the MIT License.
 // License text available at https://opensource.org/licenses/MIT
 
-import {expect} from '@loopback/testlab';
-import {validateRequestBody} from '../../validation/request-body.validator';
-import {RestHttpErrors} from '../../';
-import {aBodySpec} from '../helpers';
 import {
   ReferenceObject,
   SchemaObject,
   SchemasObject,
 } from '@loopback/openapi-v3-types';
+import {expect} from '@loopback/testlab';
+import {RestHttpErrors, validateRequestBody} from '../../';
+import {aBodySpec} from '../helpers';
 
 const INVALID_MSG = RestHttpErrors.INVALID_REQUEST_BODY_MESSAGE;
 

packages/rest/src/index.ts

@@ -20,6 +20,7 @@ export * from './rest.server';
 export * from './sequence';
 export * from './rest-http-error';
 export * from './parse-json';
+export * from './validation/request-body.validator';
 
 // export all errors from external http-errors package
 import * as HttpErrors from 'http-errors';

packages/rest/src/parser.ts

@@ -15,7 +15,12 @@ import {RequestBody, RequestBodyParser} from './body-parsers';
 import {coerceParameter} from './coercion/coerce-parameter';
 import {RestHttpErrors} from './rest-http-error';
 import {ResolvedRoute} from './router';
-import {OperationArgs, PathParameterValues, Request} from './types';
+import {
+  OperationArgs,
+  PathParameterValues,
+  Request,
+  RequestBodyValidationOptions,
+} from './types';
 import {validateRequestBody} from './validation/request-body.validator';
 const debug = debugFactory('loopback:rest:parser');
 
@@ -30,6 +35,7 @@ export async function parseOperationArgs(
   request: Request,
   route: ResolvedRoute,
   requestBodyParser: RequestBodyParser = new RequestBodyParser(),
+  options: RequestBodyValidationOptions = {},
 ): Promise<OperationArgs> {
   debug('Parsing operation arguments for route %s', route.describe());
   const operationSpec = route.spec;
@@ -44,6 +50,7 @@ export async function parseOperationArgs(
     pathParams,
     body,
     route.schemas,
+    options,
   );
 }
 
@@ -53,6 +60,7 @@ function buildOperationArguments(
   pathParams: PathParameterValues,
   body: RequestBody,
   globalSchemas: SchemasObject,
+  options: RequestBodyValidationOptions = {},
 ): OperationArgs {
   let requestBodyIndex = -1;
   if (operationSpec.requestBody) {
@@ -80,7 +88,7 @@ function buildOperationArguments(
   }
 
   debug('Validating request body - value %j', body);
-  validateRequestBody(body, operationSpec.requestBody, globalSchemas);
+  validateRequestBody(body, operationSpec.requestBody, globalSchemas, options);
 
   if (requestBodyIndex > -1) paramArgs.splice(requestBodyIndex, 0, body.value);
   return paramArgs;

packages/rest/src/providers/parse-params.provider.ts

@@ -8,7 +8,7 @@ import {RequestBodyParser} from '../body-parsers';
 import {RestBindings} from '../keys';
 import {parseOperationArgs} from '../parser';
 import {ResolvedRoute} from '../router';
-import {ParseParams, Request} from '../types';
+import {ParseParams, Request, RequestBodyParserOptions} from '../types';
 /**
  * Provides the function for parsing args in requests at runtime.
  *
@@ -18,9 +18,16 @@ export class ParseParamsProvider implements Provider<ParseParams> {
   constructor(
     @inject(RestBindings.REQUEST_BODY_PARSER)
     private requestBodyParser: RequestBodyParser,
+    @inject(RestBindings.REQUEST_BODY_PARSER_OPTIONS, {optional: true})
+    private options: RequestBodyParserOptions = {},
   ) {}
   value() {
     return (request: Request, route: ResolvedRoute) =>
-      parseOperationArgs(request, route, this.requestBodyParser);
+      parseOperationArgs(
+        request,
+        route,
+        this.requestBodyParser,
+        this.options.validation,
+      );
   }
 }

packages/rest/src/types.ts

@@ -4,14 +4,16 @@
 // License text available at https://opensource.org/licenses/MIT
 
 import {Binding, BoundValue} from '@loopback/context';
-import {ResolvedRoute, RouteEntry} from './router';
-import {Request, Response} from 'express';
+import {ReferenceObject, SchemaObject} from '@loopback/openapi-v3-types';
+import * as ajv from 'ajv';
 import {
+  Options,
   OptionsJson,
-  OptionsUrlencoded,
   OptionsText,
-  Options,
+  OptionsUrlencoded,
 } from 'body-parser';
+import {Request, Response} from 'express';
+import {ResolvedRoute, RouteEntry} from './router';
 
 export {Request, Response};
 
@@ -82,6 +84,20 @@ export type LogError = (
   request: Request,
 ) => void;
 
+/**
+ * Options for request body validation using AJV
+ */
+export interface RequestBodyValidationOptions extends ajv.Options {
+  /**
+   * Custom cache for compiled schemas by AJV. This setting makes it possible
+   * to skip the default cache.
+   */
+  compiledSchemaCache?: WeakMap<
+    SchemaObject | ReferenceObject,
+    ajv.ValidateFunction
+  >;
+}
+
 /* eslint-disable @typescript-eslint/no-explicit-any */
 
 /**
@@ -93,6 +109,7 @@ export interface RequestBodyParserOptions extends Options {
   urlencoded?: OptionsUrlencoded;
   text?: OptionsText;
   raw?: Options;
+  validation?: RequestBodyValidationOptions;
   [name: string]: unknown;
 }
 

packages/rest/src/validation/request-body.validator.ts

@@ -14,12 +14,11 @@ import * as debugModule from 'debug';
 import * as _ from 'lodash';
 import * as util from 'util';
 import {HttpErrors, RequestBody, RestHttpErrors} from '..';
+import {RequestBodyValidationOptions} from '../types';
 
 const toJsonSchema = require('openapi-schema-to-json-schema');
 const debug = debugModule('loopback:rest:validation');
 
-export type RequestBodyValidationOptions = AJV.Options;
-
 /**
  * Check whether the request body is valid according to the provided OpenAPI schema.
  * The JSON schema is generated from the OpenAPI schema which is typically defined
@@ -28,6 +27,7 @@ export type RequestBodyValidationOptions = AJV.Options;
  * @param body - The request body parsed from an HTTP request.
  * @param requestBodySpec - The OpenAPI requestBody specification defined in `@requestBody()`.
  * @param globalSchemas - The referenced schemas generated from `OpenAPISpec.components.schemas`.
+ * @param options - Request body validation options for AJV
  */
 export function validateRequestBody(
   body: RequestBody,
@@ -55,7 +55,7 @@ export function validateRequestBody(
   }
   if (!schema) return;
 
-  options = Object.assign({coerceTypes: body.coercionRequired}, options);
+  options = Object.assign({coerceTypes: !!body.coercionRequired}, options);
   validateValueAgainstSchema(body.value, schema, globalSchemas, options);
 }
 
@@ -76,29 +76,37 @@ function convertToJsonSchema(openapiSchema: SchemaObject) {
   return jsonSchema;
 }
 
+/**
+ * Built-in cache for complied schemas by AJV
+ */
+const DEFAULT_COMPILED_SCHEMA_CACHE = new WeakMap<
+  SchemaObject | ReferenceObject,
+  AJV.ValidateFunction
+>();
+
 /**
  * Validate the request body data against JSON schema.
  * @param body - The request body data.
  * @param schema - The JSON schema used to perform the validation.
  * @param globalSchemas - Schema references.
+ * @param options - Request body validation options.
  */
-
-const compiledSchemaCache = new WeakMap();
-
 function validateValueAgainstSchema(
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   body: any,
   schema: SchemaObject | ReferenceObject,
-  globalSchemas?: SchemasObject,
-  options?: RequestBodyValidationOptions,
+  globalSchemas: SchemasObject = {},
+  options: RequestBodyValidationOptions = {},
 ) {
-  let validate;
+  let validate: AJV.ValidateFunction;
+
+  const cache = options.compiledSchemaCache || DEFAULT_COMPILED_SCHEMA_CACHE;
 
-  if (compiledSchemaCache.has(schema)) {
-    validate = compiledSchemaCache.get(schema);
+  if (cache.has(schema)) {
+    validate = DEFAULT_COMPILED_SCHEMA_CACHE.get(schema)!;
   } else {
     validate = createValidator(schema, globalSchemas, options);
-    compiledSchemaCache.set(schema, validate);
+    cache.set(schema, validate);
   }
 
   if (validate(body)) {
@@ -133,7 +141,7 @@ function createValidator(
   schema: SchemaObject,
   globalSchemas?: SchemasObject,
   options?: RequestBodyValidationOptions,
-): Function {
+): AJV.ValidateFunction {
   const jsonSchema = convertToJsonSchema(schema);
 
   const schemaWithRef = Object.assign({components: {}}, jsonSchema);