feat(auth): Added flexible validation checks for User entity email and password

waspc/data/Generator/templates/react-app/src/auth/forms/Login.js

@@ -3,6 +3,7 @@ import React, { useState } from 'react'
 import { useHistory } from 'react-router-dom'
 
 import login from '../login.js'
+import { errorMessage } from '../../utils.js'
 
 const LoginForm = () => {
   const history = useHistory()
@@ -18,7 +19,7 @@ const LoginForm = () => {
       history.push('{= onAuthSucceededRedirectTo =}')
     } catch (err) {
       console.log(err)
-      window.alert('Error:' + err.message)
+      window.alert(errorMessage(err))
     }
   }
 

waspc/data/Generator/templates/react-app/src/auth/forms/Signup.js

@@ -4,6 +4,7 @@ import { useHistory } from 'react-router-dom'
 
 import signup from '../signup.js'
 import login from '../login.js'
+import { errorMessage } from '../../utils.js'
 
 const SignupForm = () => {
   const history = useHistory()
@@ -24,7 +25,7 @@ const SignupForm = () => {
       history.push('{= onAuthSucceededRedirectTo =}')
     } catch (err) {
       console.log(err)
-      window.alert('Error:' + err.message)
+      window.alert(errorMessage(err))
     }
   }
 

waspc/data/Generator/templates/react-app/src/utils.js

@@ -0,0 +1,3 @@
+export const errorMessage = (e) => {
+  return `Error: ${e.message} ${e.data?.message ? '- Details: ' + e.data.message : ''}`
+}

waspc/data/Generator/templates/server/src/core/AuthError.js

@@ -0,0 +1,17 @@
+class AuthError extends Error {
+  constructor (message, data, ...params) {
+    super(message, ...params)
+
+    if (Error.captureStackTrace) {
+      Error.captureStackTrace(this, AuthError)
+    }
+
+    this.name = this.constructor.name
+
+    if (data) {
+      this.data = data
+    }
+  }
+}
+
+export default AuthError

waspc/data/Generator/templates/server/src/core/auth/prismaMiddleware.js

@@ -0,0 +1,86 @@
+{{={= =}=}}
+import { hashPassword } from '../auth.js'
+import AuthError from '../AuthError.js'
+
+const EMAIL_FIELD = 'email'
+const PASSWORD_FIELD = 'password'
+
+// Allows flexible validation of a user entity.
+// Users can skip default validations by passing _waspSkipDefaultValidations = true
+// Users can also add custom validations by passing an array of _waspCustomValidations
+// with the same format as our default validations.
+// Throws an AuthError on the first validation that fails.
+const registerUserEntityValidation = (prismaClient) => {
+  prismaClient.$use(async (params, next) => {
+    if (params.model === '{= userEntityUpper =}') {
+      if (['create', 'update', 'updateMany'].includes(params.action)) {
+        validateUser(params.args.data, params.args, params.action)
+      } else if (params.action === 'upsert') {
+        validateUser(params.args.create.data, params.args, 'create')
+        validateUser(params.args.update.data, params.args, 'update')
+      }
+
+      // Remove from downstream Prisma processing to avoid "Unknown arg" error
+      delete params.args._waspSkipDefaultValidations
+      delete params.args._waspCustomValidations
+    }
+
+    return next(params)
+  })
+}
+
+// Make sure password is always hashed before storing to the database.
+const registerPasswordHashing = (prismaClient) => {
+  prismaClient.$use(async (params, next) => {
+    if (params.model === '{= userEntityUpper =}') {
+      if (['create', 'update', 'updateMany'].includes(params.action)) {
+        if (params.args.data.hasOwnProperty(PASSWORD_FIELD)) {
+          params.args.data[PASSWORD_FIELD] = await hashPassword(params.args.data[PASSWORD_FIELD])
+        }
+      } else if (params.action === 'upsert') {
+        if (params.args.create.data.hasOwnProperty(PASSWORD_FIELD)) {
+          params.args.create.data[PASSWORD_FIELD] =
+            await hashPassword(params.args.create.data[PASSWORD_FIELD])
+        }
+        if (params.args.update.data.hasOwnProperty(PASSWORD_FIELD)) {
+          params.args.update.data[PASSWORD_FIELD] =
+            await hashPassword(params.args.update.data[PASSWORD_FIELD])
+        }
+      }
+    }
+
+    return next(params)
+  })
+}
+
+export const registerAuthMiddleware = (prismaClient) => {
+  // NOTE: registerUserEntityValidation must come before registerPasswordHashing.
+  registerUserEntityValidation(prismaClient)
+  registerPasswordHashing(prismaClient)
+}
+
+const validateUser = (user, args, action) => {
+  user = user || {}
+
+  const defaultValidations = [
+    { validates: EMAIL_FIELD, message: 'email must be present', validator: email => !!email },
+    { validates: PASSWORD_FIELD, message: 'password must be present', validator: password => !!password },
+    { validates: PASSWORD_FIELD, message: 'password must be at least 8 characters', validator: password => password.length >= 8 },
+    { validates: PASSWORD_FIELD, message: 'password must contain a number', validator: password => /\d/.test(password) },
+  ]
+
+  const validations = [
+    ...(args._waspSkipDefaultValidations ? [] : defaultValidations),
+    ...(args._waspCustomValidations || [])
+  ]
+
+  // On 'create' validations run always, otherwise (on updates)
+  // they run only when the field they are validating is present.
+  for (const v of validations) {
+    if (action === 'create' || user.hasOwnProperty(v.validates)) {
+      if (!v.validator(user[v.validates])) {
+        throw new AuthError(v.message)
+      }
+    }
+  }
+}

waspc/data/Generator/templates/server/src/dbClient.js

@@ -1,42 +1,21 @@
 {{={= =}=}}
 import Prisma from '@prisma/client'
-{=# isAuthEnabled =}
-import { hashPassword } from './core/auth.js'
-{=/ isAuthEnabled =}
 
 {=# isAuthEnabled =}
-const PASSWORD_FIELD = 'password'
+
+import { registerAuthMiddleware } from './core/auth/prismaMiddleware.js'
 
 {=/ isAuthEnabled =}
+
 const createDbClient = () => {
   const prismaClient = new Prisma.PrismaClient()
 
   {=# isAuthEnabled =}
-  prismaClient.$use(async (params, next) => {
-    // Make sure password is always hashed before storing to the database.
-    if (params.model === '{= userEntityUpper =}') {
-      if (['create', 'update', 'updateMany'].includes(params.action)) {
-        if (params.args.data.hasOwnProperty(PASSWORD_FIELD)) {
-          params.args.data[PASSWORD_FIELD] = await hashPassword(params.args.data[PASSWORD_FIELD])
-        }
-      } else if (params.action === 'upsert') {
-        if (params.args.create.data.hasOwnProperty(PASSWORD_FIELD)) {
-          params.args.create.data[PASSWORD_FIELD] =
-            await hashPassword(params.args.create.data[PASSWORD_FIELD])
-        }
-        if (params.args.update.data.hasOwnProperty(PASSWORD_FIELD)) {
-          params.args.update.data[PASSWORD_FIELD] =
-            await hashPassword(params.args.update.data[PASSWORD_FIELD])
-        }
-      }
-    }
-
-    const result = next(params)
-
-    return result
-  })
+
+  registerAuthMiddleware(prismaClient)
 
   {=/ isAuthEnabled =}
+
   return prismaClient
 }
 

waspc/data/Generator/templates/server/src/routes/auth/signup.js

@@ -1,11 +1,23 @@
 {{={= =}=}}
 import prisma from '../../dbClient.js'
-import { handleRejection } from '../../utils.js'
+import { handleRejection, isPrismaError, prismaErrorToHttpError } from '../../utils.js'
+import AuthError from '../../core/AuthError.js'
+import HttpError from '../../core/HttpError.js'
 
 export default handleRejection(async (req, res) => {
   const userFields = req.body || {}
 
-  await prisma.{= userEntityLower =}.create({ data: userFields })
+  try {
+    await prisma.{= userEntityLower =}.create({ data: userFields })
+  } catch (e) {
+    if (e instanceof AuthError) {
+      throw new HttpError(422, 'Validation failed', { message: e.message })
+    } else if (isPrismaError(e)) {
+      throw prismaErrorToHttpError(e)
+    } else {
+      throw new HttpError(500)
+    }
+  }
 
   res.send()
 })

waspc/data/Generator/templates/server/src/utils.js

@@ -1,3 +1,5 @@
+import Prisma from '@prisma/client'
+import HttpError from './core/HttpError.js'
 
 /**
  * Decorator for async express middleware that handles promise rejections.
@@ -13,3 +15,31 @@ export const handleRejection = (middleware) => async (req, res, next) => {
     next(error)
   }
 }
+
+export const isPrismaError = (e) => {
+  return e instanceof Prisma.PrismaClientKnownRequestError ||
+    e instanceof Prisma.PrismaClientUnknownRequestError ||
+    e instanceof Prisma.PrismaClientRustPanicError ||
+    e instanceof Prisma.PrismaClientInitializationError ||
+    e instanceof Prisma.PrismaClientValidationError
+}
+
+export const prismaErrorToHttpError = (e) => {
+  if (e instanceof Prisma.PrismaClientKnownRequestError) {
+    if (e.code === 'P2002') {
+      return new HttpError(422, 'Save failed', {
+        message: `A record with the same ${e.meta.target.join(', ')} already exists.`,
+        target: e.meta.target
+      })
+    } else {
+      // TODO(shayne): Go through https://www.prisma.io/docs/reference/api-reference/error-reference#error-codes
+      // and decide which are input errors (422) and which are not (500)
+      // See: https://github.com/wasp-lang/wasp/issues/384
+      return new HttpError(500)
+    }
+  } else if (e instanceof Prisma.PrismaClientValidationError) {
+    return new HttpError(422, 'Save failed')
+  } else {
+    return new HttpError(500)
+  }
+}

waspc/src/Wasp/Generator/ServerGenerator.hs

@@ -170,6 +170,7 @@ genSrcDir wasp =
     [ [C.copySrcTmplAsIs $ C.asTmplSrcFile [relfile|app.js|]],
       [C.copySrcTmplAsIs $ C.asTmplSrcFile [relfile|server.js|]],
       [C.copySrcTmplAsIs $ C.asTmplSrcFile [relfile|utils.js|]],
+      [C.copySrcTmplAsIs $ C.asTmplSrcFile [relfile|core/AuthError.js|]],
       [C.copySrcTmplAsIs $ C.asTmplSrcFile [relfile|core/HttpError.js|]],
       [genDbClient wasp],
       [genConfigFile wasp],

waspc/src/Wasp/Generator/ServerGenerator/AuthG.hs

@@ -15,6 +15,7 @@ genAuth :: Wasp -> [FileDraft]
 genAuth wasp = case maybeAuth of
   Just auth ->
     [ genCoreAuth auth,
+      genAuthMiddleware auth,
       -- Auth routes
       genAuthRoutesIndex,
       genLoginRoute auth,
@@ -40,6 +41,19 @@ genCoreAuth auth = C.makeTemplateFD tmplFile dstFile (Just tmplData)
               "userEntityLower" .= Util.toLowerFirst userEntity
             ]
 
+genAuthMiddleware :: Wasp.Auth.Auth -> FileDraft
+genAuthMiddleware auth = C.makeTemplateFD tmplFile dstFile (Just tmplData)
+  where
+    authMiddlewareRelToSrc = [relfile|core/auth/prismaMiddleware.js|]
+    tmplFile = C.asTmplFile $ [reldir|src|] </> authMiddlewareRelToSrc
+    dstFile = C.serverSrcDirInServerRootDir </> C.asServerSrcFile authMiddlewareRelToSrc
+
+    tmplData =
+      let userEntity = Wasp.Auth._userEntity auth
+       in object
+            [ "userEntityUpper" .= userEntity
+            ]
+
 genAuthRoutesIndex :: FileDraft
 genAuthRoutesIndex = C.copySrcTmplAsIs (C.asTmplSrcFile [relfile|routes/auth/index.js|])
 

waspc/src/Wasp/Generator/WebAppGenerator.hs

@@ -145,7 +145,8 @@ generateSrcDir wasp =
       [relfile|index.css|],
       [relfile|serviceWorker.js|],
       [relfile|config.js|],
-      [relfile|queryCache.js|]
+      [relfile|queryCache.js|],
+      [relfile|utils.js|]
     ]
     ++ genOperations wasp
     ++ AuthG.genAuth wasp

web/docs/language/basic-elements.md

@@ -334,6 +334,10 @@ Check out this [section of our Todo app tutorial](/docs/tutorials/todo-app/auth#
 `EmailAndPassword` authentication method makes it possible to signup/login into the app by using email address and a password.
 This method requires that `userEntity` specified in `auth` element contains `email: string` and `password: string` fields.
 
+We provide basic validations out of the box, which you can customize as shown below. Default validations are:
+- `email`: non-empty
+- `password`: non-empty, at least 8 characters, and contains a number 
+
 #### High-level API
 
 The quickest way to get started is by using the following API generated by Wasp:
@@ -365,7 +369,28 @@ export const signUp = async (args, context) => {
 ```
 
 :::info
-You don't need to worry about hashing the password yourself! Even when you are using Prisma's client directly and calling `create()` with a plain-text password, Wasp put middleware in place that takes care of hashing it before storing it to the database.
+You don't need to worry about hashing the password yourself! Even when you are using Prisma's client directly and calling `create()` with a plain-text password, Wasp put middleware in place that takes care of hashing it before storing it to the database. An additional middleware also performs field validation.
+:::
+
+##### Customizing user entity validations
+
+To disable/enable default validations, or add your own, you can do:
+```js
+const newUser = context.entities.User.create({
+  data: { email: 'some@email.com', password: 'this will be hashed!' },
+  _waspSkipDefaultValidations: false, // can be omitted if false (default), or explicitly set to true
+  _waspCustomValidations: [
+    {
+      validates: 'password',
+      message: 'password must contain an uppercase letter',
+      validator: password => /[A-Z]/.test(password)
+    },
+  ]
+})
+```
+
+:::info
+Validations always run on `create()`, but only when the field mentioned in `validates` is present for `update()`. The validation process stops on the first `validator` to return false. If enabled, default validations run first and validate basic properties of both the `'email'` or `'password'` fields.
 :::
 
 #### Specification