Allow response object stripping according to schema

[worklez]

I'd like to be able to reply from a request handler with an object that has some extra keys other than its schema allows, with the resulting response containing only those keys that are allowed by the schema.

Example:

1. Server is configured with validation: { stripUnknown: true }
2. Route config has its response: { schema: Joi... } specified
3. Request handler retrieves a doc which has more keys than needed for the response
4. Calling reply(doc) internally validates doc to satisfy response.schema and returns result

Current behavior with the setup: doc validation succeeds, but final response contains keys not mentioned in the schema.
Desired behavior: doc validation succeeds, and final response doesn't contain keys not mentioned in the schema.

Related: #1639

[dminkovsky]

Yes, this would be awesome. I assumed this was the default behavior, and after some investigation saw that in the response's postValidate the validated (cast, and stripped) value is just discarded. I imagine it would be possible to add an option to the route's config/response that lets you return this value instead of the original payload.

Declarative response validation is an awesome Hapi feature. Letting that schema function as an actual gatekeeper beyond using it to serve or logging errors would be even better. My use-case for this is based on the notion that it's easier to scrub with Joi than to tweak data queries or to manually remove keys that I don't want in the response. It's a bit brain-dead, but it's also dead simple and absolutely and declaratively enforces how a response will look. It's both a form of testing and data protection. I can perform this same validation in the route handler, but that makes it less declarative.

[dminkovsky]

There's also a compatibility issue here with sample, because you don't want this behavior if sample is not 100.

[Couto]

I'm just starting with hapijs so my opinion might not be relevant, but I believe that adding an option like:

config: {
  response: {
    stripUnknown: true,
    schema: Joi.object({})
  }
}

would allow this change with breaking anything else.

Apart from that, I also think that filtering keys based on schema would be a great addition, since it seems that everyone, one way or another, is stripping out values from their responses to avoid displaying private properties.

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.