search

MichalLytek / type-graphql

Create GraphQL schema and resolvers with TypeScript, using classes and decorators!
https://typegraphql.com
MIT License
8.03k stars 675 forks source link

Does not work with class-validator 0.14.0 #1443

Closed Martomate closed 1 year ago

Martomate commented 1 year ago

Describe the Bug When TypeGraphQL 1.1.1 is used together with class-validator 0.14.0 the TypqGraphQL validation stops working (it crashes).

This happens in the validate-args file and the reason is most likely that there was a breaking change in class-validator 0.14.0 (see here). All my integration tests work with class-validator 0.13.2, but most of them fail with 0.14.0.

To Reproduce

Create a resolver with a mutation that takes this input:

@InputType()
export class SaveCredentialsInput {
  @Field()
  username!: string

  @Field()
  password!: string
}

This is what is returned to the API caller:

{
  "message": "Argument Validation Error",
  "locations": [
    {
      "line": 3,
      "column": 9
    }
  ],
  "path": ["saveCredentials"],
  "extensions": {
    "code": "INTERNAL_SERVER_ERROR",
    "exception": {
      "validationErrors": [
        {
          "target": {
            "username": "test",
            "password": "test"
          },
          "children": [],
          "constraints": {
            "unknownValue": "an unknown value was passed to the validate function"
          }
        }
      ],
      "stacktrace": [
        "Error: Argument Validation Error",
        "    at Object.validateArg (/app/node_modules/type-graphql/dist/resolvers/validate-arg.js:29:15)",
        "    at processTicksAndRejections (node:internal/process/task_queues:96:5)",
        "    at async Promise.all (index 1)"
      ]
    }
  }
}

For some reason TypeGraphQL uses class-validator without specifying it as a dependency, so I was quite surprised to find this incompatibility.

carlocorradini commented 1 year ago

See https://github.com/MichalLytek/type-graphql/issues/1397

Using class-validator >=0.14.0:

const schema = await buildSchema({
  // ...
  validate: { forbidUnknownValues: false } // <--
});
MichalLytek commented 1 year ago

Closing as duplicate #1396 #1401 🔒

mmmeff commented 1 year ago

Is there still a security risk here with class-validator? According to its maintainers, the main change in 0.14.0 was to enable forbidUnknownValues by default

MichalLytek commented 1 year ago

With GraphQL I guess not, it has own type system, fields validation and you can't put values not present in schema.