search

nestjsx / crud

NestJs CRUD for RESTful APIs
https://github.com/nestjsx/crud/wiki
MIT License
4.04k stars 533 forks source link

Question: read-only fields #750

Open aleontiev opened 2 years ago

aleontiev commented 2 years ago

I'm wondering what the best practice is around making API fields read-only when using a TypeORM entity.

My goal is to have this field returned by GET requests but not allow it to be set by clients (e.g. for "created" / "updated" fields)

I've started off with the validation group approach using IsEmpty validator

const { CREATE, UPDATE } = CrudValidationGroups                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            
export abstract class BaseEntity {                                                                                                                                                                                                                                                      

  @ApiPropertyOptional()                                                                                                                                                                                                                                                               
  @Column()                                                                                                                                                                                                                                                                            
  @CreateDateColumn()
  @IsEmpty({ groups: [CREATE, UPDATE] })                                                                                                                                                                                                                                                
  created: Date     
  // ...

This mostly works; if the created field is set on PUT/PATCH/POST, the request is rejected with a validation error as expected.

However, when clients perform a PUT to replace a record, they usually send all local fields available on the record by default; if such a request contains the created field, the request will fail. I can work around this in client implementation (strip out all read-only fields before sending PUT), but I'm wondering if there is any other built-in functionality that would allow the field to be present in the request body but ignore it when making the update.

Thanks in advance, and loving this library so far!

codepushr commented 2 years ago

I'm using DTOs for this kind of problem. My DTOs typically don't have an id or date properties, so they also cannot be set by the client.