-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Username validation refactor #1569
Conversation
@@ -0,0 +1,100 @@ | |||
{{={= =}=}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Moving email utils from utils.ts
to providers/email/utils.ts
@@ -28,3 +30,8 @@ export default handleRejection(async (req, res) => { | |||
|
|||
return res.json({ token }) | |||
}) | |||
|
|||
function ensureValidArgs(args: unknown): void { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Validating the username & password in the route
@@ -0,0 +1,77 @@ | |||
import HttpError from '../core/HttpError.js'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Putting username and email validations in one place
registerPasswordHashing(prismaClient) | ||
} | ||
|
||
const userValidations = [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing username & password validation from Prisma middleware
Note: password hashing is still here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess password hashing is fine there!
What is our reasoning though about removing username & pass validation from there -> aren't we loosing something? I know you said we can reintroduce it back later once we do refactoring, but why not fix it now in such way that we keep having it there? Do you think it is not useful to have it there? Should we discuss the use cases a bit, pros and cons of having or not having it there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to be clear: we are not removing the validation but rather moving it into the route 🙂
We are moving to route to make it work like email validation: connected to the login and signup process then connected to the Prisma model.
We are losing the customisation mechanism, but we should reintroduce it in a more user friendly way and in a way that enable also email validation customisation.
The current customisation mechanism felt a bit hacky and it you needed to specify the overrides on each usage with _waspCustomValidations
. Also, I assume the feature is not really used. I got the feeling that people like the higher level API much more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure that all makes sense, why I am asking is that that way it was before validation was enforced on any change to username / pass, not just the change via the routes. So if I as a developer do something more manually and want to set username/pass directly on the User entity, that would also be caught, while now it will not be caught. So I was curious why have you decided to drop that. For example, if I use https://wasp-lang.dev/docs/auth/username-and-pass#2-creating-your-custom-actions, I won't be getting these validations any more, right?
You say you think it wasn't used much -> I think there is certainly a case where it happens, which is https://wasp-lang.dev/docs/auth/username-and-pass#2-creating-your-custom-actions , and we since we are supporting that, I think we want to ensure good experience here. The question is, is it weird / bad if we drop these validations here? Is it expected by the developer? I think it might not be expected, so in that case we should mention this in the docs -> hey, you now have to do validation here on your own.
I wonder if they would rather have these validations here or not. If they are here, they can be annoying if they can't override them. But if there are none, they will have to implement their own.
I think I find it easier to think about if the concept of validating username/email is centralized per whole Wasp app, and you can either use it as it is default or customize it. I don't like the idea of them by accident not using it, or by accident going around it.
But I would like to hear your thoughts here, in more details!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For example, if I use https://wasp-lang.dev/docs/auth/username-and-pass#2-creating-your-custom-actions, I won't be getting these validations any more, right?
Yes, these validation won't apply here any more. The user will be responsible for validating the payload. And he can use our ensureValidUsername
and ensureValidPassword
helper functions. This is something I can write about in the docs in the section you linked (which I overlooked, sorry about that)
You say you think it wasn't used much -> I think there is certainly a case where it happens, which is https://wasp-lang.dev/docs/auth/username-and-pass#2-creating-your-custom-actions
"a case where it happens" != "users using the feature", I was talking about users not really customising the auth validation
and we since we are supporting that, I think we want to ensure good experience here.
I agree we should give them tools to validate auth related fields or any fields in general 👍
I think I find it easier to think about if the concept of validating username/email is centralized per whole Wasp app, and you can either use it as it is default or customize it.
I feel the validations are an auth feature and it should happen in that flow. If the users are building their custom auth flow, they can use our lower level validation helpers like mentioned above.
Alternatively, validation is hidden from the user and it happens at the Prisma level which is a bit too hidden for my taste. I'd rather instruct them to use ensureValidUsername
then explain the details of validation happening in the Prisma middleware.
I don't like the idea of them by accident not using it, or by accident going around it.
Users can't accidentally write their own login and signup actions 😄 At that point they are responsible for validating the frontend payload before saving it in the database IMHO
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok @infomiho this makes sense to me, let's do this as you described here!
@@ -429,65 +429,6 @@ If you use [Email](/docs/auth/email) authentication, the default validations are | |||
|
|||
Note that `email`s are stored in a **case-insensitive** manner. | |||
|
|||
### Customizing validations |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing docs section around using auth validation customisation since it no longer exists.
I'd move the auth customization API to the DSL (like we have custom signup fields for example), but let's do as a new feature. #1571
Signed-off-by: Mihovil Ilakovac <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@infomiho looks good in general but I would like to hear more about the reasoning you used to decide on removing the validation from the middleware! I wrote a bit about it in the comment also.
registerPasswordHashing(prismaClient) | ||
} | ||
|
||
const userValidations = [] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess password hashing is fine there!
What is our reasoning though about removing username & pass validation from there -> aren't we loosing something? I know you said we can reintroduce it back later once we do refactoring, but why not fix it now in such way that we keep having it there? Do you think it is not useful to have it there? Should we discuss the use cases a bit, pros and cons of having or not having it there?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@infomiho I approved, but it seems to me one thing is still missing: explaining in docs at which point does default validation stop working for them and they have to use those built-in arg validators.
I imagine we could mention this in auth/overview.md, when we say "Wasp includes several basic validation mechanisms for the auth fields." -> we could mention here that these validations work only in such and such case?
Also, when we tell them they can do their own custom login/singup actions, we should mention there that they should make sure to do validation on their own + point them to the built-in helpers. And finally, at the built-in helpers docs, we also might want to mention that these are needed when you are not using our actions but instead going rouge :D.
I am not sure if any of these is already in the docs but I couldn't find it.
validation.ts
Left to do
Closes #1566
Closes #1563