7

I want to use a white list in my route's body validation. I expect that only data is accepted that confirms to my model and if some parameter is sent that is not part of my model DTO an error must be thrown.

This is my DTO : 

export class RegisterDTO {
    @MinLength(5)
    userName: string;

    @MinLength(8)
    password: string;

    @IsNotEmpty()
    seller: boolean;

    address: {
        city: string;
        street: string;
        apartment?: string;
    };
}

This is my controller :

@Post('register')
@UsePipes(new ValidationPipe({ transform: true, whitelist: true}))
async register(@Body() userDTO: RegisterDTO) {
    const user = await this.userService.create(userDTO);
    const payload: Payload = {
        userName: user.userName,
        seller: user.seller,
    };

    const token = await this.authService.signPayload(payload);
    return {user, token};
}

But when I sent this data I dont get an error:

{
   "userName": "userdasdnasdasdadad",
   "password": "passwdasdasdasadasdasda",
   "address": {
      "city": "kiev",
      "street": "amosova"
   },
   "seller": false,
   "test": "test"
}

"test": "test" must be not allowed as a parameter; I expect an error to be thrown but there is none

Kim Kern
  • 54,283
  • 17
  • 197
  • 195
Anton Skybun
  • 1,479
  • 8
  • 21

1 Answers1

10

The option whitelist only strips unknown values when the json is transformed into your dto class without throwing an error, so in your case the property test is silently removed.

If you want to throw a validation error when an unknown property is encountered, you need to add the option forbidNonWhitelisted: 

@UsePipes(
    new ValidationPipe({
      transform: true,
      whitelist: true,
      forbidNonWhitelisted: true,
    }),
  )
Kim Kern
  • 54,283
  • 17
  • 197
  • 195
  • Thanks for answer. I have added forbidNonWhitelisted: true; It remove test from responce, but doesnt throw an error https://snag.gy/ideuRb.jpg – Anton Skybun Mar 29 '19 at 13:24
  • It is work as all fine and give me token , but i sent wrong model and wanna to get an error – Anton Skybun Mar 29 '19 at 13:27
  • Mh, that's weird. I've tried it here and it works: https://codesandbox.io/s/9jlkpxv744?fontsize=14&module=%2Fsrc%2Fapp.controller.ts – Kim Kern Mar 29 '19 at 13:29
  • When you sent a POST request to https://9jlkpxv744.sse.codesandbox.io/ with `{ "username": "kiwi", "firstname": "123456" }` you'll get a 400 with `"whitelistValidation": "property firstname should not exist"` – Kim Kern Mar 29 '19 at 13:30
  • Thanks. It help me. Problem was that i define to use globalPipe adn add forbidNonWhitelisted only local to controler but forgot to add to globaluse – Anton Skybun Mar 29 '19 at 13:42
  • It is happen because my globalUsePipe dont work(( and i add ValidationPipe to controler – Anton Skybun Mar 29 '19 at 13:43
  • But also I saw. That props without _@Decorator from validation class also dont allowed and you must use _@Allow – Anton Skybun Mar 29 '19 at 13:45
  • 1
    Yup, that's true! Please also see this answer, if you want to use nested validation (for example for your address): https://stackoverflow.com/a/53685045/4694994 – Kim Kern Mar 29 '19 at 13:47