Use io-ts to validate user input.

When the typescript is converted to javascript, all type checks are lost.

Instead, define the requirements in terms of io-ts types and check them at runtime.

Author: Ben Pope

CHANGELOG.md

@@ -5,11 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/pusher/chatkit-server-node/compare/2.4.0...HEAD)
+## [Unreleased](https://github.com/pusher/chatkit-server-node/compare/2.4.0...io-ts-validation)
 
 ### Fixes
+
 - Update mixin-deep and set-value for security fixes
 
+### Additions
+
+- Add runtime validation of arguments with io-ts
+
+### Changes
+
+- Requires typescript 2.8.1
+
 ## [2.4.0](https://github.com/pusher/chatkit-server-node/compare/2.2.0...2.4.0)
 
 ### Additions

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@pusher/chatkit-server",
   "description": "Pusher Chatkit server SDK",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "main": "target/src/index.js",
   "license": "MIT",
   "author": "Pusher",
@@ -16,9 +16,10 @@
   },
   "scripts": {
     "build": "rm -rf target && tsc",
-    "test": "bash -c 'set -o pipefail; yarn test:build && yarn test:run | tap-colorize'",
+    "test": "bash -c 'set -o pipefail; yarn test:build && yarn test:run && yarn test:unit | tap-colorize'",
     "test:build": "tsc -p tests",
     "test:run": "node tests/target/tests/main.js",
+    "test:unit": "node tests/target/tests/unit.js",
     "test:withSDKBuild": "yarn build && bash -c 'set -o pipefail; yarn test:build && yarn test:run | tap-colorize'",
     "install-pkg": "if type yarn &> /dev/null; then yarn; else npm i; fi",
     "publish-please": "publish-please",
@@ -27,11 +28,15 @@
   "dependencies": {
     "@pusher/platform-node": "~0.15.0",
     "@types/got": "^9.4.0",
+    "fp-ts": "1.14.4",
     "got": "^9.6.0",
-    "jsonwebtoken": "^8.3.0"
+    "io-ts": "1.5.2-",
+    "jsonwebtoken": "^8.3.0",
+    "unknown-ts": "^0.1.0"
   },
   "resolutions": {
-    "**/**/lodash": "^4.17.13"
+    "**/**/lodash": "^4.17.13",
+    "fp-ts": "1.14.4"
   },
   "devDependencies": {
     "@types/tape": "^4.2.32",
@@ -41,6 +46,6 @@
     "publish-please": "^5.1.1",
     "tap-colorize": "^1.2.0",
     "tape": "^4.9.1",
-    "typescript": "^2.6.1"
+    "typescript": "^2.8.1"
   }
 }

src/chatkit.ts

@@ -11,17 +11,26 @@ import {
   TokenWithExpiry,
 } from "@pusher/platform-node"
 
-import { getCurrentTimeInSeconds } from "./utils"
+import {
+  getCurrentTimeInSeconds,
+  validateProperties,
+} from "./utils"
 import packageJSON from "../package.json"
+import * as t from 'io-ts'
+import "unknown-ts"
+
+const NonEmptyString = t.refinement(t.string, s => s.length != 0, "NonEmptyString");
 
 export interface AuthenticationOptions {
   userId: string
   authPayload?: AuthenticatePayload
 }
 
-export interface UserIdOptions {
-  userId: string
-}
+const UserIdOptions = t.interface({
+  userId: NonEmptyString
+},"UserIdOptions");
+type UserIdOptions = t.TypeOf<typeof UserIdOptions>;
+export { UserIdOptions };
 
 export interface GetRoomOptions {
   roomId: string
@@ -98,9 +107,14 @@ export interface GetUsersOptions {
   limit?: number
 }
 
-export interface RemoveRoomRoleForUserOptions extends UserIdOptions {
-  roomId: string
-}
+const RemoveRoomRoleForUserOptions = t.intersection([
+  UserIdOptions,
+  t.interface({
+    roomId: NonEmptyString
+  })
+],"RemoveRoomRoleForUserOptions");
+type RemoveRoomRoleForUserOptions = t.TypeOf<typeof RemoveRoomRoleForUserOptions>;
+export { RemoveRoomRoleForUserOptions };
 
 export interface BasicAssignRoleToUserOptions {
   userId: string
@@ -983,6 +997,7 @@ export default class Chatkit {
   }
 
   removeRoomRoleForUser(options: RemoveRoomRoleForUserOptions): Promise<void> {
+    validateProperties(options, RemoveRoomRoleForUserOptions)
     return this.authorizerInstance
       .request({
         method: "DELETE",

src/utils.ts

@@ -1,2 +1,9 @@
+import { ThrowReporter } from "io-ts/lib/ThrowReporter";
+import { Decoder } from "io-ts";
+
 export const getCurrentTimeInSeconds = (): number =>
   Math.floor(Date.now() / 1000)
+
+export function validateProperties<I,A>(options: I, decoder: Decoder<I,A>) {
+  ThrowReporter.report(decoder.decode(options))
+}

tests/main.ts

@@ -1486,6 +1486,47 @@ test("unreadCount and lastMessageAt", (t, client, end, fail) => {
     )
 })
 
+test("RoomRoles", (t, client, end, fail) => {
+  const user = randomUser()
+  const role = randomString()
+
+  client
+    .createUser(user)
+    .then(() => 
+      client.createRoomRole({
+        name: role,
+        permissions: []
+      })
+    )
+    .then(() =>
+      client.createRoom({
+        creatorId: user.id,
+        name: randomString(),
+      })
+    )
+    .then(room =>
+      client
+        .assignRoomRoleToUser({
+          userId: user.id,
+          roomId: room.id,
+          name: role,
+        })
+        .then(() =>
+          client.removeRoomRoleForUser({
+            userId: user.id,
+            roomId: room.id
+          })
+        )
+    )
+    .then(() =>
+      client.deleteRoomRole({
+        name: role,
+      })
+    )
+    .then(end)
+    .catch(fail)
+})
+
 function test(
   msg: string,
   cb: (

tests/tsconfig.json

@@ -5,9 +5,9 @@
     "module": "commonjs",
     "resolveJsonModule": true,
     "esModuleInterop": true,
-    "declaration": true,
     "outDir": "target",
-    "strict": true
+    "strict": true,
+    "allowJs": true
   },
   "exclude": [
     "node_modules",

tests/unit.js

@@ -0,0 +1,46 @@
+import tape from "tape"
+
+import { validateProperties } from "../../target/src/utils.js"
+import { RemoveRoomRoleForUserOptions } from "../../target/src/chatkit.js"
+
+const TEST_TIMEOUT = 200
+
+function test(name, f) {
+  tape(name, t => {
+    t.timeoutAfter(TEST_TIMEOUT)
+    f(t)
+  })
+}
+
+test("validateProperties", t => {
+  validateProperties({userId: "foo", roomId: "bar"}, RemoveRoomRoleForUserOptions)
+  t.end()
+})
+
+test("validatePropertiesUndefinedFails", t => {
+  t.throws(
+    () => validateProperties({user: "foo", roomId: "bar"}, RemoveRoomRoleForUserOptions),
+    RegExp('Invalid value undefined supplied to : RemoveRoomRoleForUserOptions/userId: NonEmptyString'))
+  t.end()
+})
+
+test("validatePropertiesNullFails", t => {
+  t.throws(
+    () => validateProperties({userId: "foo", roomId: null}, RemoveRoomRoleForUserOptions),
+    RegExp('Invalid value null supplied to : RemoveRoomRoleForUserOptions/roomId: NonEmptyString'))
+  t.end();
+})
+
+test("validatePropertiesEmptyFails", t => {
+  t.throws(
+    () => validateProperties({userId: "foo", roomId: ""}, RemoveRoomRoleForUserOptions),
+    RegExp('Invalid value "" supplied to : RemoveRoomRoleForUserOptions/roomId: NonEmptyString'))
+  t.end();
+})
+
+test("validatePropertiesWrongTypeFails", t => {
+  t.throws(
+    () => validateProperties({userId: "foo", roomId: 42}, RemoveRoomRoleForUserOptions),
+    RegExp('Invalid value 42 supplied to : RemoveRoomRoleForUserOptions/roomId: NonEmptyString'))
+  t.end();
+})

yarn.lock

@@ -36,12 +36,13 @@
     "@types/node" "*"
 
 "@types/got@^9.4.0":
-  version "9.4.0"
-  resolved "https://registry.yarnpkg.com/@types/got/-/got-9.4.0.tgz#5c8b0f5a0dc1b67e676430561a0b85a0fde1d12d"
-  integrity sha512-18c/Bu9tpv6owaz17urNFfkzfxdmr3PoREqFpAkUasBbV9gc7OqChRj/e2f98abiJo7j++PhArfm66EFqAY4qA==
+  version "9.6.9"
+  resolved "https://registry.yarnpkg.com/@types/got/-/got-9.6.9.tgz#b3192188b96c871b9c67dc80d1b0336441432a38"
+  integrity sha512-w+ZE+Ovp6fM+1sHwJB7RN3f3pTJHZkyABuULqbtknqezQyWadFEp5BzOXaZzRqAw2md6/d3ybxQJt+BNgpvzOg==
   dependencies:
     "@types/node" "*"
     "@types/tough-cookie" "*"
+    form-data "^2.5.0"
 
 "@types/minimatch@*":
   version "3.0.3"
@@ -1163,6 +1164,15 @@ forever-agent@~0.6.1:
   resolved "https://registry.yarnpkg.com/forever-agent/-/forever-agent-0.6.1.tgz#fbc71f0c41adeb37f96c577ad1ed42d8fdacca91"
   integrity sha1-+8cfDEGt6zf5bFd60e1C2P2sypE=
 
+form-data@^2.5.0:
+  version "2.5.1"
+  resolved "https://registry.yarnpkg.com/form-data/-/form-data-2.5.1.tgz#f2cbec57b5e59e23716e128fe44d4e5dd23895f4"
+  integrity sha512-m21N3WOmEEURgk6B9GLOE4RuWOFf28Lhh9qGYeNlGq4VDXUlJy2th2slBNU8Gp8EzloYZOibZJ7t5ecIrFSjVA==
+  dependencies:
+    asynckit "^0.4.0"
+    combined-stream "^1.0.6"
+    mime-types "^2.1.12"
+
 form-data@~2.3.2:
   version "2.3.3"
   resolved "https://registry.yarnpkg.com/form-data/-/form-data-2.3.3.tgz#dcce52c05f644f298c6a7ab936bd724ceffbf3a6"
@@ -1172,6 +1182,11 @@ form-data@~2.3.2:
     combined-stream "^1.0.6"
     mime-types "^2.1.12"
 
+fp-ts@1.14.4, fp-ts@^1.0.0:
+  version "1.14.4"
+  resolved "https://registry.yarnpkg.com/fp-ts/-/fp-ts-1.14.4.tgz#df431e1bfe590f23ad418ca8c889880106a5008f"
+  integrity sha512-A20kqVBpV/VOpDmEDudb+FP/qOV+V/yEqHQQfHPHLHeX3alFM0JjX1cXNcU8+p8z5yeCkHFolKo7uJMRwUSMFA==
+
 fragment-cache@^0.2.1:
   version "0.2.1"
   resolved "https://registry.yarnpkg.com/fragment-cache/-/fragment-cache-0.2.1.tgz#4290fad27f13e89be7f33799c6bc5a0abfff0d19"
@@ -1394,6 +1409,13 @@ invariant@^2.2.2:
   dependencies:
     loose-envify "^1.0.0"
 
+io-ts@1.5.2-:
+  version "1.5.2"
+  resolved "https://registry.yarnpkg.com/io-ts/-/io-ts-1.5.2.tgz#e57ca59689ead86736542e27d44a9a0358d37931"
+  integrity sha512-97sFhiqyKqCj2iLJ3NUuAMDYh2pQm/VuSHu/zNbCdZt+I53PiQ/nkKIP7gKpM1fOAa9+xfHS675Ifit+4lP8kw==
+  dependencies:
+    fp-ts "^1.0.0"
+
 is-accessor-descriptor@^0.1.6:
   version "0.1.6"
   resolved "https://registry.yarnpkg.com/is-accessor-descriptor/-/is-accessor-descriptor-0.1.6.tgz#a9e12cb3ae8d876727eeef3843f8a0897b5c98d6"
@@ -2588,7 +2610,7 @@ tweetnacl@^0.14.3, tweetnacl@~0.14.0:
   resolved "https://registry.yarnpkg.com/tweetnacl/-/tweetnacl-0.14.5.tgz#5ae68177f192d4456269d108afa93ff8743f4f64"
   integrity sha1-WuaBd/GS1EViadEIr6k/+HQ/T2Q=
 
-typescript@^2.6.1:
+typescript@^2.8.1:
   version "2.9.2"
   resolved "https://registry.yarnpkg.com/typescript/-/typescript-2.9.2.tgz#1cbf61d05d6b96269244eb6a3bce4bd914e0f00c"
   integrity sha512-Gr4p6nFNaoufRIY4NMdpQRNmgxVIGMs4Fcu/ujdYk3nAZqk7supzBE9idmvfZIlH/Cuj//dvi+019qEue9lV0w==
@@ -2603,6 +2625,11 @@ union-value@^1.0.0:
     is-extendable "^0.1.1"
     set-value "^0.4.3"
 
+unknown-ts@^0.1.0:
+  version "0.1.0"
+  resolved "https://registry.yarnpkg.com/unknown-ts/-/unknown-ts-0.1.0.tgz#b34c5ec61fe84e734fa59cd9ddc3ebc32a9ecce7"
+  integrity sha512-P+mV7fa1UAJ32HN+P1/eswQ33wmXt4+AuE20K0+ixzBe3t+NF51jp7gr0W6w+dSqBPvwmwSRVJIJHqaTdyf6Ag==
+
 unset-value@^1.0.0:
   version "1.0.0"
   resolved "https://registry.yarnpkg.com/unset-value/-/unset-value-1.0.0.tgz#8376873f7d2335179ffb1e6fc3a8ed0dfc8ab559"