Introduce strict deserializer visitor

[simPod]

Q	A
Bug fix?	no
New feature?	yes
Doc updated	no
BC breaks?	yes
Deprecations?	no
Tests pass?	yes
Fixed tickets	#...
License	MIT

Recently, I've found that

• false is cast to 0 for int properties
• null is cast to "" for string properties
• etc. etc.

This greatly modifies the input data that is not desired.

Consider a case when I want to deserialize json [1,2,3] and validate that all values are of int type. However, json ["1", "2", "3"] is cast to [1,2,3] so I cannot validate it after deserialization and such input is forwarded further into application.

Therefore, I've created strict visitor that does not cast values to desire types and invalid value conversion does not happen anymore. Also, nulls are handled properly. But - I had to change return types of DeserializationVisitorInterface to allow null.
This behaviour is compliant with e.g. DateHandler which returns null value for null json. So it all rather behaves as expected now.

serializer/src/Handler/DateHandler.php

Lines 193 to 199 in 91652cc

	public function deserializeDateTimeFromJson(DeserializationVisitorInterface $visitor, $data, array $type): ?\DateTimeInterface
	{
	if (null === $data) {
	return null;
	}
	return $this->parseDateTime($data, $type);

(contains #1400)

[goetas]

This seems ok, but how to make it developer friendly? how to let them choose between json and json strict? would it make sense to have it as some sort of option for the existing JsonDeserializationVisitor ?

[goetas]

it would be good to add this visitor in the list of available visitors and let devs choose if use the struct or not strict deserialization

[simPod]

@goetas according to docs, I'd expect people do this

$serializer = \JMS\Serializer\SerializerBuilder::create()
    ->setDeserializationVisitor('json', new JsonDeserializationStrictVisitorFactory())
    ->build();

I'm using bundle so not really sure how people use jms without it. I'd expect they use the way mentioned in docs 🤔 .

---

Also, it would be great to make this default in v4.

[simPod]

list of available visitors

where do I find it?

[goetas]

what about having something as this

$serializer->deserialize($data, 'SomeType', 'json');
$serializer->deserialize($data, 'SomeType', 'json_strict');

by adding it by default in

serializer/src/SerializerBuilder.php

Line 348 in 404e9cd

'json' => new JsonDeserializationVisitorFactory(),

?

(it would be nice to support it better in the bundle too)

[simPod]

Allowing $serializer->deserialize($data, 'SomeType', 'json_strict'); should add implicit support to bundle as well I guess.

[goetas]

yea but unfortuantly this is not enough, you should add

serializer/src/Handler/DateHandler.php

Line 39 in 404e9cd

foreach (['json', 'xml'] as $format) {

this to all the type handlers as well if we want to consistent json support for who uses the strict version.

The bundle does not use the SerializationBuilder, so there it is necessary to play with the symfony di.

[simPod]

I'll look into a bundle support once this is merged.

The tests found the issue you've mentioned, fixing it now.

[simPod]

@goetas This is rather unpleasant though: class JMS\Serializer\Handler\DateHandler does not have a method "deserializeDateTimeFromjson_strict" Do we want to go this way?

Looking at the implications, I'd stay with ->setDeserializationVisitor('json', new JsonDeserializationStrictVisitorFactory()) and adapt the bundle accordingly.

I think it is not really a new format so introducing json_strict seems hacky.

[goetas]

Ok, why not addign then a constructor option to the "old" JsonDeserializationVisitorFactory that based on it returns a strict visitor or a non strict one? that would make the bundle support super easy

[simPod]

@goetas much better than json_strict. Check it out.

[scyzoryck]

I like strict idea for deserialization! Thanks 🙇‍♂️

[simPod]

@goetas is there anything else? Thanks

[goetas]

thank you!

[simPod]

Sounds reasonable, will try.

…

On Wed, May 11, 2022, 10:32 Asmir Mustafic ***@***.***> wrote: Ok, why not addign then a constructor option to the "old" JsonDeserializationVisitorFactory that based on it returns a strict visitor or a non strict one? — Reply to this email directly, view it on GitHub <#1401 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AACQAJLDDABP3BT2XEUKZ3TVJNWDRANCNFSM5RCBAFRA> . You are receiving this because you authored the thread.Message ID: ***@***.***>