RFC: Use io-ts to validate user input.

CHANGELOG.md

@@ -5,11 +5,20 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
-## [Unreleased](https://github.com/pusher/chatkit-server-node/compare/2.4.0...HEAD)
+## [Unreleased](https://github.com/pusher/chatkit-server-node/compare/2.4.0...io-ts-validation)
 
 ### Fixes
+
 - Update mixin-deep and set-value for security fixes
 
+### Additions
+
+- Add runtime validation of arguments with io-ts
+
+### Changes
+
+- Requires typescript 2.8.1
+
 ## [2.4.0](https://github.com/pusher/chatkit-server-node/compare/2.2.0...2.4.0)
 
 ### Additions

package.json

@@ -1,7 +1,7 @@
 {
   "name": "@pusher/chatkit-server",
   "description": "Pusher Chatkit server SDK",
-  "version": "2.4.0",
+  "version": "2.5.0",
   "main": "target/src/index.js",
   "license": "MIT",
   "author": "Pusher",
@@ -16,31 +16,32 @@
   },
   "scripts": {
     "build": "rm -rf target && tsc",
-    "test": "bash -c 'set -o pipefail; yarn test:build && yarn test:run | tap-colorize'",
+    "test": "bash -c 'set -o pipefail; yarn test:build && yarn test:run && yarn test:unit | tap-colorize'",
     "test:build": "tsc -p tests",
     "test:run": "node tests/target/tests/main.js",
+    "test:unit": "node tests/target/tests/unit.js",
     "test:withSDKBuild": "yarn build && bash -c 'set -o pipefail; yarn test:build && yarn test:run | tap-colorize'",
     "install-pkg": "if type yarn &> /dev/null; then yarn; else npm i; fi",
     "publish-please": "publish-please",
     "prepublishOnly": "publish-please guard"
   },
   "dependencies": {
-    "@pusher/platform-node": "~0.15.0",
+    "@pusher/platform-node": "~0.15.5",
     "@types/got": "^9.4.0",
+    "fp-ts": "^2.3.1",
     "got": "^9.6.0",
-    "jsonwebtoken": "^8.3.0"
+    "io-ts": "^2.0.2",
+    "jsonwebtoken": "^8.5.1"
   },
   "resolutions": {
     "**/**/lodash": "^4.17.13"
   },
   "devDependencies": {
-    "@types/tape": "^4.2.32",
-    "babel-core": "^6.25.0",
-    "babel-preset-es2015": "^6.24.1",
+    "@types/tape": "^4.2.33",
     "dts-bundle": "^0.7.3",
-    "publish-please": "^5.1.1",
+    "publish-please": "^5.5.1",
     "tap-colorize": "^1.2.0",
-    "tape": "^4.9.1",
-    "typescript": "^2.6.1"
+    "tape": "^4.12.0",
+    "typescript": "^3.7.3"
   }
 }

src/chatkit.ts

@@ -11,17 +11,25 @@ import {
   TokenWithExpiry,
 } from "@pusher/platform-node"
 
-import { getCurrentTimeInSeconds } from "./utils"
+import {
+  getCurrentTimeInSeconds,
+  validateProperties,
+} from "./utils"
 import packageJSON from "../package.json"
+import * as t from 'io-ts'
+
+const NonEmptyString = t.refinement(t.string, s => s.length !== 0, "NonEmptyString");
 
 export interface AuthenticationOptions {
   userId: string
   authPayload?: AuthenticatePayload
 }
 
-export interface UserIdOptions {
-  userId: string
-}
+const UserIdOptions = t.interface({
+  userId: NonEmptyString
+},"UserIdOptions");
+type UserIdOptions = t.TypeOf<typeof UserIdOptions>;
+export { UserIdOptions };
 
 export interface GetRoomOptions {
   roomId: string
@@ -98,9 +106,14 @@ export interface GetUsersOptions {
   limit?: number
 }
 
-export interface RemoveRoomRoleForUserOptions extends UserIdOptions {
-  roomId: string
-}
+const RemoveRoomRoleForUserOptions = t.intersection([
+  UserIdOptions,
+  t.interface({
+    roomId: NonEmptyString
+  })
+],"RemoveRoomRoleForUserOptions");
+type RemoveRoomRoleForUserOptions = t.TypeOf<typeof RemoveRoomRoleForUserOptions>;
+export { RemoveRoomRoleForUserOptions };
 
 export interface BasicAssignRoleToUserOptions {
   userId: string
@@ -983,6 +996,7 @@ export default class Chatkit {
   }
 
   removeRoomRoleForUser(options: RemoveRoomRoleForUserOptions): Promise<void> {
+    validateProperties(options, RemoveRoomRoleForUserOptions)
     return this.authorizerInstance
       .request({
         method: "DELETE",

src/utils.ts

@@ -1,2 +1,9 @@
+import { ThrowReporter } from "io-ts/lib/ThrowReporter";
+import { Decoder } from "io-ts";
+
 export const getCurrentTimeInSeconds = (): number =>
   Math.floor(Date.now() / 1000)
+
+export function validateProperties<I,A>(options: I, decoder: Decoder<I,A>) {
+  ThrowReporter.report(decoder.decode(options))
+}

tests/main.ts

@@ -1486,6 +1486,47 @@ test("unreadCount and lastMessageAt", (t, client, end, fail) => {
     )
 })
 
+test("RoomRoles", (t, client, end, fail) => {
+  const user = randomUser()
+  const role = randomString()
+
+  client
+    .createUser(user)
+    .then(() => 
+      client.createRoomRole({
+        name: role,
+        permissions: []
+      })
+    )
+    .then(() =>
+      client.createRoom({
+        creatorId: user.id,
+        name: randomString(),
+      })
+    )
+    .then(room =>
+      client
+        .assignRoomRoleToUser({
+          userId: user.id,
+          roomId: room.id,
+          name: role,
+        })
+        .then(() =>
+          client.removeRoomRoleForUser({
+            userId: user.id,
+            roomId: room.id
+          })
+        )
+    )
+    .then(() =>
+      client.deleteRoomRole({
+        name: role,
+      })
+    )
+    .then(end)
+    .catch(fail)
+})
+
 function test(
   msg: string,
   cb: (

tests/tsconfig.json

@@ -5,9 +5,9 @@
     "module": "commonjs",
     "resolveJsonModule": true,
     "esModuleInterop": true,
-    "declaration": true,
     "outDir": "target",
-    "strict": true
+    "strict": true,
+    "allowJs": true
   },
   "exclude": [
     "node_modules",

tests/unit.js

@@ -0,0 +1,46 @@
+import tape from "tape"
+
+import { validateProperties } from "../../target/src/utils.js"
+import { RemoveRoomRoleForUserOptions } from "../../target/src/chatkit.js"
+
+const TEST_TIMEOUT = 200
+
+function test(name, f) {
+  tape(name, t => {
+    t.timeoutAfter(TEST_TIMEOUT)
+    f(t)
+  })
+}
+
+test("validateProperties", t => {
+  validateProperties({userId: "foo", roomId: "bar"}, RemoveRoomRoleForUserOptions)
+  t.end()
+})
+
+test("validatePropertiesUndefinedFails", t => {
+  t.throws(
+    () => validateProperties({user: "foo", roomId: "bar"}, RemoveRoomRoleForUserOptions),
+    RegExp('.*Invalid value undefined supplied.*RemoveRoomRoleForUserOptions.*userId.*NonEmptyString.*'))
+  t.end()
+})
+
+test("validatePropertiesNullFails", t => {
+  t.throws(
+    () => validateProperties({userId: "foo", roomId: null}, RemoveRoomRoleForUserOptions),
+    RegExp('.*Invalid value null supplied to.*RemoveRoomRoleForUserOptions.*roomId.*NonEmptyString.*'))
+  t.end();
+})
+
+test("validatePropertiesEmptyFails", t => {
+  t.throws(
+    () => validateProperties({userId: "foo", roomId: ""}, RemoveRoomRoleForUserOptions),
+    RegExp('.*Invalid value "" supplied to.*RemoveRoomRoleForUserOptions.*roomId.*NonEmptyString.*'))
+  t.end();
+})
+
+test("validatePropertiesWrongTypeFails", t => {
+  t.throws(
+    () => validateProperties({userId: "foo", roomId: 42}, RemoveRoomRoleForUserOptions),
+    RegExp('.*Invalid value 42 supplied to.*RemoveRoomRoleForUserOptions.*roomId.*NonEmptyString.*'))
+  t.end();
+})