Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(index): add preHandler hook #207

Closed
wants to merge 1 commit into from
Closed

fix(index): add preHandler hook #207

wants to merge 1 commit into from

Conversation

Fdawgs
Copy link
Member

@Fdawgs Fdawgs commented Jan 27, 2025
edited
Loading

The documentation states that this plugin adds a preHandler hook but the code says otherwise.

I noticed this as I was registering @fastify/bearer-auth before @fastify/cors (which is an onRequest hook) and pre-flight requests were being caught by this plugin, and auth shouldn't be applied to them.

Checklist

@Fdawgs
fix(index): register as preHandler hook
cddcfd6 
Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
@Fdawgs Fdawgs changed the title fix(index): register as preHandler hook fix(index): add preHandler hook Jan 27, 2025
@Fdawgs Fdawgs requested a review from a team January 28, 2025 07:51
gurgunday
gurgunday reviewed Jan 28, 2025
View reviewed changes
index.js
@@ -27,7 +27,7 @@ function fastifyBearerAuth (fastify, options, done) {

try {
if (options.addHook === true) {
fastify.addHook('onRequest', verifyBearerAuthFactory(options))
fastify.addHook('preHandler', verifyBearerAuthFactory(options))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not preValidation or preParsing for instance? We shouldn't validate anything if the auth isn't there in my opinion

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That also works, was just updating the handler to correctly match the documentation. Can be changed!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah sure, I was just pointing it out :)

In any case, this would be a major right?

jsumners
jsumners reviewed Jan 28, 2025
View reviewed changes
Copy link
Member

@jsumners jsumners left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change happened in 78adb35

But I cannot find a corresponding issue to describe why it was done. It looks like @delvedor just did it.

gurgunday
gurgunday reviewed Jan 28, 2025
View reviewed changes
Copy link
Member

@gurgunday gurgunday left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we change it to preParsing if we're going to release a major?

@Fdawgs
Copy link
Member Author

Fdawgs commented Jan 28, 2025

Can we change it to preParsing if we're going to release a major?

I think that would be best. I've just rejigged @fastify/auth's readme and it has this section that supports the use of the preParsing handler.

climba03003
climba03003 requested changes Jan 29, 2025
View reviewed changes
Copy link
Member

@climba03003 climba03003 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would update the document and make the hook configurable.

Eomm
Eomm reviewed Jan 29, 2025
View reviewed changes
Copy link
Member

@Eomm Eomm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I do agree that this would be a major, I think the onRequest hook seems right to me.

Whenever we get a request, we want to ensure that it is a valid client to call us.
Example: I have an endpoint with auth configured, if I get a malicious payload of 1GB, with this change we will parse it!

So, reading the issue:

I noticed this as I was registering @fastify/bearer-auth before @fastify/cors (which is an onRequest hook) and pre-flight requests were being caught by this plugin, and auth shouldn't be applied to them.

Isn't switching the cors/auth plugins the solution?
Or at most: fix the documentation

@Fdawgs
Copy link
Member Author

Fdawgs commented Jan 29, 2025

While I do agree that this would be a major, I think the onRequest hook seems right to me.

Whenever we get a request, we want to ensure that it is a valid client to call us. Example: I have an endpoint with auth configured, if I get a malicious payload of 1GB, with this change we will parse it!

I'm leaning more to making it configurable as climba suggested. Both onRequest and preParsing hooks should negate this.

@Fdawgs Fdawgs mentioned this pull request Jan 29, 2025
Merged
2 tasks
@jsumners
Copy link
Member

jsumners commented Feb 1, 2025

Seems fair. Make it configurable but default to onRequest.

@Fdawgs Fdawgs closed this Feb 4, 2025
@Fdawgs Fdawgs deleted the Fdawgs-patch-1 branch February 4, 2025 12:07
@Fdawgs Fdawgs mentioned this pull request Feb 4, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jsumners jsumners jsumners left review comments

@Eomm Eomm Eomm left review comments

@gurgunday gurgunday gurgunday left review comments

@climba03003 climba03003 climba03003 requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Fdawgs @jsumners @Eomm @climba03003 @gurgunday