Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add $client hook #65

Merged
merged 8 commits into from
Jan 6, 2017
Merged

add $client hook #65

merged 8 commits into from
Jan 6, 2017

Conversation

eddyystop
Copy link
Collaborator

  • It will help people feel safe and warm inside,
    instead of wondering if they’re doing something that’s a hack.
  • Will put docs in GitBook once this is merged.

@eddyystop
add $client hook
8081d85 
- It will help people feel safe and warm inside,
instead of wondering if they’re doing something that’s a hack.
- Will put docs in GitBook once this is merged.
@eddyystop
Fixed lint issue
0e7831e
marshallswain
marshallswain reviewed Dec 7, 2016
View reviewed changes
src/new.js
@@ -225,3 +225,49 @@ export const isNot = (predicate) => {
return result.then(result1 => !result1);
};
};

/**
* Move params from client to hook.params.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

$client

marshallswain
marshallswain reviewed Dec 7, 2016
View reviewed changes
src/new.js
};
};

const reservedParamProps = ['app', 'authenticated', '__authenticated',
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should sequelize and mongoose be in this list?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do any other adapters have special props? Knex? Stripe?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure. I don't think so but I'd have to look.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

permitted and __permitted have now been removed. The permissions hooks no longer use those fields based on this discussion feathersjs-ecosystem/feathers-permissions#4 (comment).

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its hook.app not hook.params.app. So app should be removed.

ekryski
ekryski reviewed Dec 8, 2016
View reviewed changes
test/client.test.js
assert.throws(() => {
$client(
'app', 'authenticated', '__authenticated',
'permitted', '__permitted', 'provider', 'query'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just forgot to remove permitted and __permitted.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for that catch!

@daffl
Copy link
Member

daffl commented Dec 9, 2016

I'm not sure about reservedParamProps since the hook shouldn't really know about any other plugin that could potentially have restricted properties.

We might be able to define things like authenticated as read-only properties so it would throw an error if you are overriding it. That won't take care of when they are not defined but I'd go as far as saying that if you put sequelize or something like that explicitly into the whitelist it's your own fault.

@eddyystop
Copy link
Collaborator Author

@ekryski and @marshall were proponents of the whitelist so we need their input.

@ekryski
Copy link
Member

ekryski commented Dec 9, 2016
edited
Loading

We might be able to define things like authenticated as read-only properties so it would throw an error if you are overriding it.

Yeah that's the plan but until I get that sorted the whitelist for that piece is a good prevention measure. So we can either hold up this hook or ship it and pull that stuff out in the future.

That won't take care of when they are not defined but I'd go as far as saying that if you put sequelize or something like that explicitly into the whitelist it's your own fault.

I agree but then we should probably rename those in the adapters to $sequelize and $mongoose or something to denote that they are special. It's still pretty easy to inadvertently overwrite them. I think we have a few cases where it is a little too easy to accidentally do the wrong thing cough .remove(null) cough.

@marshall
Copy link

marshall commented Dec 9, 2016

you have the wrong Marshall :)

@ekryski
Copy link
Member

ekryski commented Dec 9, 2016

Poor @marshall, pretty sure that has happened a couple times on some of our issues/PRs. Sorry about that mate! 😄

@eddyystop I think you meant @marshallswain

@daffl
Copy link
Member

daffl commented Dec 9, 2016
edited
Loading

It's not implicit thought right? You have to explicitly whitelist a property. So if you explicitly whitelist something potentially dangerous there isn't much we can do about it so why try and do it with (some of) the stuff we know about right now?

Oh also, we probably want a reverse of this hook for the client side (so something that puts a whitelist of params into query.$client).

This was referenced Dec 18, 2016
Closed
Merged
@eddyystop
Copy link
Collaborator Author

@daffl, your first comment is valid. I think another point of the whitelist was for the server to limit what the client may specify. It prevents what someone hacking from the browser console can do.

How will we package client side hooks? We'd also need a copy of them in this repo so the server can do what the client can.

Merry Christmas eve.

@daffl
Copy link
Member

daffl commented Dec 26, 2016

Probably fairly simple like:

function client(... whitelist) {
  return function(hook) {
    const client = hook.params.query.$client = {};

    whitelist.forEach(key => client[key] = hook.params[key]);
  }
}

@eddyystop
Copy link
Collaborator Author

I add the client-side hook as a separate PR

@daffl
Copy link
Member

daffl commented Dec 27, 2016

I still don't think that the reservedParamProps is necessary when people have to explicitly provide a whitelist (as I said, if someone is explicitly doing something wrong we can't help them) but if it's still controversial then :shipit:

@ekryski
Copy link
Member

ekryski commented Jan 5, 2017
edited
Loading

ok 2 comments:

  • I think we should name the hook function client instead of $client. That's me being a bit pedantic but it will keep it consistent with the rest of the hooks. It looks a bit out of place being prefixed with $.
  • After reviewing again and thinking about it, I think I'm with @daffl on this now. We don't really need the reservedParamProps if someone whitelists them themselves, then it's their own fault and they are whitelisting some pretty buried props. I'll work to quickly prefix them with __ to have a bit more obscurity.

After that is done :shipit:

@ekryski
Copy link
Member

ekryski commented Jan 6, 2017

Looks good. :shipit: @eddyystop!

@eddyystop eddyystop merged commit 818474f into master Jan 6, 2017
@eddyystop eddyystop deleted the client branch January 6, 2017 02:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ekryski ekryski ekryski left review comments

@marshallswain marshallswain marshallswain left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@eddyystop @daffl @ekryski @marshall @marshallswain