Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sanitize properties from response #218

Closed
wants to merge 2 commits into from
Closed

sanitize properties from response #218

wants to merge 2 commits into from

Conversation

mariusbackes
Copy link
Contributor

On your moleculer action you can set the sanitize property. It is an array of strings or objects, which is used to sanitize the REST response.
If the parameter in the array is a string, it will be removed from the response.
If the parameter is an object the property name will be updated from the old one to the new one.

For example: You have an user object. And on this object, the password from the user is present. But you don't want to send it back to the user:

let user = {
  id: "userId",
  name: "name",
  password: "super-secret-password"
}

In your moleculer action, provide the sanitize param, to know which properties should be removed or updated.

actions: {
  getUser: {
    ...
    sanitize: ["password", {from: "id", to: "userId"}]
    handler(ctx) { ... }
  }
}

The response looks like this:

let user = {
  userId: "userId",
  name: "name"
}

If the response is an array, the sanitizing is done for each object.

It works also with nested objects:

let user = {
  id: "userId",
  name: "name",
  password: "super-secret-password",
  setting: {
    id: "settingId",
    privateKey: "super-secret-private-key"
  }
}

For nested object, the nested string is given by dot-notation:

actions: {
  getUser: {
    ...
    sanitize: ["password", {from: "id", to: "userId"}, "setting.privateKey", {from: "setting.id", to: "setting.settingId"}]
    handler(ctx) { ... }
  }
}

@coveralls
Copy link

coveralls commented Dec 8, 2020
edited

Pull Request Test Coverage Report for Build 533

  • 17 of 18 (94.44%) changed or added relevant lines in 1 file are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.03%) to 92.721%
Changes Missing Coverage Covered Lines Changed/Added Lines %
src/index.js 17 18 94.44%
Totals Coverage Status
Change from base Build 530: -0.03%
Covered Lines: 721
Relevant Lines: 745
💛 - Coveralls

@AndreMaz
Copy link
Member

AndreMaz commented Jan 4, 2021
edited

Hey @mariusbackes Thank you very much for your effort. Unfortunately I think that the proposed approach introduces some issues. I will try to explain what I mean.

I think that each service should be responsible for cleaning/filtering its own data. In other words, data cleaning should be responsibility of the "data owner" (i.e., the service) not the gateway. Your approach solves the problem of "leaking" sensible data via the gateway but it doesn't solve for "regular" calls from other services.

I also think that this approach adds additional load for the transporter and especially for the api gateway.

Finally, I think that the desired behavior can be easily achieved with the actions after hooks.

@icebob icebob closed this Mar 26, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@mariusbackes @coveralls @AndreMaz @icebob