Make api endpoints type safe at runtime #814

pmarsh-scottlogic · 2024-02-05T10:46:30Z

Since Typescript only operates at compile time, and our endpoints receive arbitrary JSON at runtime, a client could pass in JSON with all the wrong types and our code will happily consume it. Take handleAddToChatHistory as an example.

function handleAddToChatHistory(req: OpenAiAddHistoryRequest, res: Response) {
	const infoMessage = req.body.message;
	const chatMessageType = req.body.chatMessageType;
	const level = req.body.level;
	if (
		infoMessage &&
		chatMessageType &&
		level !== undefined &&
		level >= LEVEL_NAMES.LEVEL_1
	) {
		req.session.levelState[level].chatHistory = pushMessageToHistory(
			req.session.levelState[level].chatHistory,
			{
				chatMessageType,
				infoMessage,
			} as ChatMessage
		);
		res.send();
	} else {
		res.status(400);
		res.send();
	}
}

where

type OpenAiAddHistoryRequest = Request<
	never,
	never,
	{
		chatMessageType?: CHAT_MESSAGE_TYPE;
		message?: string;
		level?: LEVEL_NAMES;
	},
	never,
	never
>;

At the moment we check that stuff exists, but we don't check the type. Here's a nonsense request body that would be happily consumed at runtime (resulting in a 500 error):

{
    "level": 1000,
    "message": true,
    "chatMessageType": "hello!"
}

The text was updated successfully, but these errors were encountered:

pmarsh-scottlogic added this to the Review and close off error handling milestone Feb 5, 2024

pmarsh-scottlogic added the backend Requires work on the backend label Mar 8, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Make api endpoints type safe at runtime #814

Make api endpoints type safe at runtime #814

pmarsh-scottlogic commented Feb 5, 2024 •

edited

Loading

Make api endpoints type safe at runtime #814

Make api endpoints type safe at runtime #814

Comments

pmarsh-scottlogic commented Feb 5, 2024 • edited Loading

pmarsh-scottlogic commented Feb 5, 2024 •

edited

Loading