longshotlabs / simpl-schema

A JavaScript schema validation package that supports direct validation of MongoDB update modifier objects
https://www.npmjs.com/package/simpl-schema
MIT License
560 stars 115 forks source link

Make it possible to disallow passing an array to validate() #454

Open fixmaker opened 3 years ago

fixmaker commented 3 years ago

We use mdg:validated-method in our Meteor project. The recommended way is to use SimpleSchema to validate the (single) argument that is sent from the client.

For example:

const method = new ValidatedMethod({
  name: 'myMethod',

  validate: new SimpleSchema({
    arg1: String,
    arg2: String,
  }).validator(),

  run({ arg1, arg2 }) {
     // Do something with arg1 and arg2
  }
});

// Method call
Meteor.call('myMethod', { arg1, arg2 });

The problem is that if the client code is (mistakenly) written like:

Meteor.call('myMethod, [ { arg1, arg2 } ]); // <--- Note the array enclosing the argument

...then the schema will treat the (array) argument as valid, but since the method body is expecting an object as its argument, rather than an array, so arg1 and arg2 will be destructored as undefined.

This is because SimpleSchema provides the 'convenience' of being able to pass either a single object or an array of objects to validate(). This problem could be avoided by having the option to turn off this 'convenience' feature but no such option seems to exist at the moment.

github-actions[bot] commented 3 years ago

Thank you for submitting an issue!

If this is a bug report, please be sure to include, at minimum, example code showing a small schema and any necessary calls with all their arguments, which will reproduce the issue. Even better, you can link to a saved online code editor example, where anyone can immediately run the code and see the issue.

If you are requesting a feature, include a code example of how you imagine it working if it were implemented.

If you need to edit your issue description, click the [...] and choose Edit.

Be patient. This is a free and freely licensed package that I maintain in my spare time. You may get a response in a day, but it could also take a month. If you benefit from this package and would like to see more of my time devoted to it, you can help by sponsoring.