Skip to content

fix(index): add preHandler hook#207

Closed
Fdawgs wants to merge 1 commit intomainfrom
Fdawgs-patch-1
Closed

fix(index): add preHandler hook#207
Fdawgs wants to merge 1 commit intomainfrom
Fdawgs-patch-1

Conversation

@Fdawgs
Copy link
Copy Markdown
Member

@Fdawgs Fdawgs commented Jan 27, 2025
edited
Loading

The documentation states that this plugin adds a preHandler hook but the code says otherwise.

I noticed this as I was registering @fastify/bearer-auth before @fastify/cors (which is an onRequest hook) and pre-flight requests were being caught by this plugin, and auth shouldn't be applied to them.

Checklist

@Fdawgs
fix(index): register as preHandler hook
cddcfd6 
Signed-off-by: Frazer Smith <frazer.dev@icloud.com>
@Fdawgs Fdawgs changed the title fix(index): register as preHandler hook fix(index): add preHandler hook Jan 27, 2025
@Fdawgs Fdawgs requested a review from a team January 28, 2025 07:51
gurgunday
gurgunday reviewed Jan 28, 2025
View reviewed changes
Comment thread index.js
try {
if (options.addHook === true) {
fastify.addHook('onRequest', verifyBearerAuthFactory(options))
fastify.addHook('preHandler', verifyBearerAuthFactory(options))
Copy link
Copy Markdown
Member

@gurgunday gurgunday Jan 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not preValidation or preParsing for instance? We shouldn't validate anything if the auth isn't there in my opinion

Copy link
Copy Markdown
Member Author

@Fdawgs Fdawgs Jan 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That also works, was just updating the handler to correctly match the documentation. Can be changed!

Copy link
Copy Markdown
Member

@gurgunday gurgunday Jan 28, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah sure, I was just pointing it out :)

In any case, this would be a major right?

jsumners
jsumners reviewed Jan 28, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@jsumners jsumners left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The change happened in 78adb35

But I cannot find a corresponding issue to describe why it was done. It looks like @delvedor just did it.

gurgunday
gurgunday reviewed Jan 28, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@gurgunday gurgunday left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we change it to preParsing if we're going to release a major?

@Fdawgs
Copy link
Copy Markdown
Member Author

Fdawgs commented Jan 28, 2025

Can we change it to preParsing if we're going to release a major?

I think that would be best. I've just rejigged @fastify/auth's readme and it has this section that supports the use of the preParsing handler.

climba03003
climba03003 requested changes Jan 29, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@climba03003 climba03003 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would update the document and make the hook configurable.

Eomm
Eomm reviewed Jan 29, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@Eomm Eomm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

While I do agree that this would be a major, I think the onRequest hook seems right to me.

Whenever we get a request, we want to ensure that it is a valid client to call us.
Example: I have an endpoint with auth configured, if I get a malicious payload of 1GB, with this change we will parse it!

So, reading the issue:

I noticed this as I was registering @fastify/bearer-auth before @fastify/cors (which is an onRequest hook) and pre-flight requests were being caught by this plugin, and auth shouldn't be applied to them.

Isn't switching the cors/auth plugins the solution?
Or at most: fix the documentation

@Fdawgs
Copy link
Copy Markdown
Member Author

Fdawgs commented Jan 29, 2025

While I do agree that this would be a major, I think the onRequest hook seems right to me.

Whenever we get a request, we want to ensure that it is a valid client to call us. Example: I have an endpoint with auth configured, if I get a malicious payload of 1GB, with this change we will parse it!

I'm leaning more to making it configurable as climba suggested. Both onRequest and preParsing hooks should negate this.

@Fdawgs Fdawgs mentioned this pull request Jan 29, 2025
Merged
2 tasks
@jsumners
Copy link
Copy Markdown
Member

jsumners commented Feb 1, 2025

Seems fair. Make it configurable but default to onRequest.

@Fdawgs Fdawgs closed this Feb 4, 2025
@Fdawgs Fdawgs deleted the Fdawgs-patch-1 branch February 4, 2025 12:07
@Fdawgs Fdawgs mentioned this pull request Feb 4, 2025
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsumners jsumners jsumners left review comments

@Eomm Eomm Eomm left review comments

@gurgunday gurgunday gurgunday left review comments

@climba03003 climba03003 climba03003 requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Fdawgs @jsumners @Eomm @climba03003 @gurgunday