Validation should happen after security checks

sukovanej / effect-http

Declarative HTTP API library for effect-ts

https://sukovanej.github.io/effect-http

MIT License

252 stars 20 forks source link

Validation should happen after security checks #664

Open danielo515 opened 2 months ago

danielo515 commented 2 months ago

Hello. I noticed that validation always happens bo matter what. Then the security is checked and if security rails the request is rejected. This opens a attack vector because request validation is costly compared to checking auth (specially if it is in cookies or JWT). I tried changing the order of definition, but that makes no difference.

AMar4enko commented 2 months ago

Second this. I assume changing src/internal/serverRequestParser.ts#L49 to something along the lines below would work

 parseSecurity(endpoint).pipe(
   Effect.bindTo(`security`),
   Effect.bind(`headers`, () => parseHeaders(endpoint, parseOptions)),
   Effect.bind(`path`, () => parsePath(endpoint, parseOptions)),
   Effect.bind(`query`, () => parseQuery(endpoint, parseOptions)),
   Effect.bind(`body`, () => parseBody(endpoint, parseOptions))
 )

AMar4enko commented 2 months ago

Oh it appears I have a fork with said change - I'll make a PR today