-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(auth): Added flexible validation checks for User entity email and password #376
Conversation
b59b57b
to
81000d5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an amazing first PR! I really like how you handled the docs too and the code is really clean.
This also made me think - all of these validations are now performed on the server, as they should be (we don't want somebody to be able to bypass our client and send direct API calls with the invalid data to the backend). But is there a use case where we'd also want to be able to perform some checks on the client too? E.g. maybe if we want to have an instant feedback as the user types email/password in etc., anything that doesn't require a database.
It might be interesting to think about how we could enable this while also avoiding the duplication of code from the perspective of Wasp developer. This is definitely out of the scope for now, but if we can think of a viable use case maybe we could write it down in issues so we can reference it in the future.
waspc/data/Generator/templates/react-app/src/auth/forms/Login.js
Outdated
Show resolved
Hide resolved
waspc/data/Generator/templates/server/src/routes/auth/signup.js
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome @shayneczyzewski ! Really thorough and complete solution to the issue, makes complete sense to me and I like it a lot.
I think it is on the spot regarding the main ideas - I only left some minor comments, they shouldn't cause any big changes.
waspc/data/Generator/templates/react-app/src/auth/forms/Signup.js
Outdated
Show resolved
Hide resolved
waspc/data/Generator/templates/server/src/core/EntityValidationError.js
Outdated
Show resolved
Hide resolved
waspc/data/Generator/templates/server/src/routes/auth/signup.js
Outdated
Show resolved
Hide resolved
waspc/data/Generator/templates/server/src/routes/auth/signup.js
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
almost done! let us know when ready and we'll finalize it :)
waspc/data/Generator/templates/server/src/routes/auth/signup.js
Outdated
Show resolved
Hide resolved
917e0b6
to
3ffbc62
Compare
Thank you @Martinsos and @matijaSos so much for your thoughtful feedback. I believe I have addressed all of them except one, which I had an open question on. It was about moving Also, if you have any thoughts on ways I can improve the PR back and for for my first time, please let me know. I tried to keep the commits focused to the comments for easier resolving. At the very end, once you verify/resolve all comments and I get the final 👍🏻 I will squash all my PR fixes into a single commit. But no rush on finalizing this, as I have taken lots of your time already yesterday. In the meantime, I plan to do more extensive local testing of this branch, including against some existing sample apps. I can then transition to the next task and come back to it once it is ready to be merged. Thanks |
waspc/data/Generator/templates/server/src/core/auth/middleware.js
Outdated
Show resolved
Hide resolved
waspc/data/Generator/templates/server/src/core/auth/middleware.js
Outdated
Show resolved
Hide resolved
waspc/data/Generator/templates/server/src/core/auth/middleware.js
Outdated
Show resolved
Hide resolved
waspc/data/Generator/templates/server/src/core/auth/middleware.js
Outdated
Show resolved
Hide resolved
return result | ||
}) | ||
|
||
registerAuthMiddleware(prismaClient) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sweet!
waspc/data/Generator/templates/server/src/routes/auth/signup.js
Outdated
Show resolved
Hide resolved
waspc/data/Generator/templates/server/src/routes/auth/signup.js
Outdated
Show resolved
Hide resolved
@@ -40,6 +41,19 @@ genCoreAuth auth = C.makeTemplateFD tmplFile dstFile (Just tmplData) | |||
"userEntityLower" .= Util.toLowerFirst userEntity | |||
] | |||
|
|||
genAuthMiddleware :: Wasp.Auth.Auth -> FileDraft |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ha nice job :D! A bit boilerplatish, this whole file, but nothing we should worry about right now, it is not worth the effort at the moment.
72c8794
to
48d8eed
Compare
waspc/data/Generator/templates/server/src/core/auth/prismaMiddleware.js
Outdated
Show resolved
Hide resolved
waspc/data/Generator/templates/server/src/core/auth/prismaMiddleware.js
Outdated
Show resolved
Hide resolved
|
||
To disable default validations, or add your own, you can do: | ||
```js | ||
const newUser = context.entities.User.create({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be helpful to provide a more "realistic" example here: e.g. we leave _waspSkipDefaultValidations
to be false
(and comment it can be omitted or set explicitly to true) and for custom validations we use something like what you did in a feature proposal, e.g. "password must contain at least one digit". Just a thought - it took me a bit to realize that we turned off default validations and then re-written them as custom ones.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah sorry, I see now that "one digit" is also part of default validations. Maybe something like "uppercase letter".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good thinking on the variety and more realistic. I will do should contain an uppercase letter, thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been addressed here: 9a545b7 Thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
waspc/data/Generator/templates/server/src/core/auth/prismaMiddleware.js
Outdated
Show resolved
Hide resolved
registerPasswordHashing(prismaClient) | ||
} | ||
|
||
const validateUserData = (data, args, action) => { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
data
is pretty generic, any way we can be more specific? Or maybe just go with validateUser(user, args, action)
? But not a big deal, I just remember from "Clean Code" that we should avoid "data", "info" and "container" :D.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right! I haven't paid attention to it but true. Data does have a bit of context here though but is it enough? Hard to say hm.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think swapping validateUserData(data, args, action)
to validateUser(user, args, action)
here is a worthwhile change, even with the existing context, if nothing more than to cement it. Will change, thanks! 👍🏻
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has been addressed here: 9a545b7 Thanks!
|
||
To disable default validations, or add your own, you can do: | ||
```js | ||
const newUser = context.entities.User.create({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah sorry, I see now that "one digit" is also part of default validations. Maybe something like "uppercase letter".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome work all together @shayneczyzewski , LGTM! I think we really polished this one now and covered all the nooks and crannies, and you did a great job on grasping the whole situation here and solving it. I will approve, @matijaSos you also give your approve when you are ready and then we can merge this one (squash to 1 commit or multiple commits if they make sense and then rebase).
c43c2d4
to
1187743
Compare
Description
Adds an additional Prisma middleware for User email/password validation checks that the user can disable and/or extend. This builds upon the existing pattern for hashing the password. While technically a monkey patch of Prisma's
create
/update
/etc. functions just forUser
, it feels like the cleanest approach to ensure:The goal is to provide basic checks out of the box, and allow users to use just ours (default), ours and theirs, or just theirs, like so:
These are the default validations we will check (unless disabled):
Documentation has been updated to reflect user facing concerns.
Closes #88 and fixes #100
Type of change
Please select the option(s) that is more relevant.