-
Notifications
You must be signed in to change notification settings - Fork 93
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix coercion of input arguments (HTTP/REST) #312
Comments
Case-insensitive boolean stringsBoth |
This all looks really good and I'm glad you guys are taking a serious look at it.
On the contentious issues:
|
Sure, and I thought we all agreed that we were moving away from implicit coercion.
If you specify var properties = {date: {type: Date}};
var MyModel = loopback.createModel('MyModel', properties);
var data = {date: '2016-06-10T16:25:55.132Z'};
var inst = new MyModel(data);
assert(inst.date instanceof Date); |
Done and released. |
Based on the integration test suite written in #304, I am proposing to make the following changes/fixes in the way how we coerce input arguments.
I think most (if not all) of this changes can be considered as backwards-compatible fixes to be landed on 2.x too.
@STRML @ritch thoughts?
Terminology:
json body
- the argument is set to the full request body which is JSON encodedjson form
- the argument is read from a property in the JSON-encoded request bodyurlencoded
- the argument is read either from query string or from urlencoded request bodyTighten validation of required arguments
json body - any - required
should rejectnull
valuejson form - array - required
should reject empty request andnull
valuejson form - * - required
should reject empty request,null
valueand empty string value
urlencoded - *
should reject empty query,?arg
,?arg=
,?arg=null
Reject scalar values for array type
json body - array of *
json form - array - required
Do not coerce missing value to empty array
This may be possibly controversial. Should we introduce a config option
to control this behaviour?
json form - array of *
should convert empty body toundefined
json form - array of *
should convertnull
tonull
urlencoded - array of *
should convert?
,?arg
,?arg=
toundefined
Do not coerce values from JSON-encoded sources
json body - array of *
json form - array of *
json body - array of any
json form - array of any
json form - boolean
(reject strings, numbers, etc.)json form - date
(reject booleans, large numbers, non-date strings, etc.)json form - number
(reject strings, booleans, arrays, etc.)json form - object
(reject strings, booleans, numbers)json form - string
(reject booleans, numbers, objects, arrays, etc.)Allow
null
as a value for object typeConvert
null
input tonull
value:json body - object - optional
json form - *
urlencoded - *
Treat missing argument as
undefined
Set argument to
undefined
when not set:json form - *
urlencoded - *
- treat?arg
asundefined
Don't coerce too large numbers
urlencoded - any
- keep?arg=2343546576878989879789
as string valueRecognize scientific notation when parsing strings
urlencoded - any
- convert?arg=1.234e%2B30
to a numberMalformed JSON in urlencoded value should trigger 400 Bad Request
urlencoded - array of *
should reject?arg={malformed}
and?arg=[malformed]
urlencoded - object
should reject?arg={malformed}
and?arg=[malformed]
Convert numeric timestamps from urlencoded sources to number
?arg=0
should be converted tonew Date(0)
for bothurlencoded - date
urlencoded - array of date
Do not coerce array items from urlencoded sources
urlencoded - array of *
Do not coerce non-boolean values
urlencoded - boolean
should reject all values excepttrue
/false
, e.g.?arg=0
and?arg=1
Avoid
NaN
dates, return 400 Bad Request insteadExamples:
?arg=undefined
,?arg=true
, but also?arg=2343546576878989879789
Open points to discuss
Should we coerce missing array values into an empty array? Perhaps make
this configurable?
Should we coerce date strings stored in object properties/array items
from JSON sources for
type:object
,type:any
andtype:array
?Example inputs:
Should we keep distinction between
undefined
(argument is missing) andnull
(argument is provided withnull
value)?Should we allow array values for object type arguments? If yes, should
we allow date strings too and coerce them into Date instances?
How to treat
?arg=
in query string/urlencoded request body? Should wetreat it as an empty string or as a missing value?
How to treat
?arg=null
, should we parse it asnull
or as a string"null"
?urlencoded - any
- should we coerce Date strings to Date instances? Whatformats other than the full ISO string should be recognized, e.g
2016-05-01
or
T09:30:00
?The text was updated successfully, but these errors were encountered: