feat: add validation for message data

Author: TomokiMiyauci

clients.ts

@@ -10,7 +10,7 @@ import {
   SubscribeMessage,
 } from "./types.ts";
 import { isString } from "./deps.ts";
-import { resolveData } from "./resolve.ts";
+import { parseMessage } from "./parse.ts";
 
 export interface GraphQLWebSocketEventMap {
   next: MessageEvent<NextMessage>;
@@ -95,7 +95,7 @@ export class ClientImpl extends WebSocket implements Client {
   ): void {
     if (["next"].includes(type)) {
       this.#ws.addEventListener("message", (ev) => {
-        const [data, error] = resolveData(ev.data);
+        const [data, error] = parseMessage(ev.data);
 
         if (!data) {
           return this.close(CloseCode.BadRequest, error.message);

deps.ts

@@ -5,6 +5,7 @@ export {
   isString,
   isUndefined,
 } from "https://deno.land/x/[email protected]/mod.ts";
+import { isObject } from "https://deno.land/x/[email protected]/mod.ts";
 export {
   JSON,
   type json,
@@ -55,3 +56,9 @@ export function tryCatchSync<R, E>(
     return [, er];
   }
 }
+
+export function isPlainObject(
+  value: unknown,
+): value is Record<PropertyKey, unknown> {
+  return isObject(value) && value.constructor === Object;
+}

dev_deps.ts

@@ -0,0 +1,46 @@
+export * from "https://deno.land/[email protected]/testing/bdd.ts";
+import {
+  defineExpect,
+  jestMatcherMap,
+  jestModifierMap,
+} from "https://deno.land/x/[email protected]/mod.ts";
+
+export const expect = defineExpect({
+  matcherMap: {
+    ...jestMatcherMap,
+    toError: (
+      actual: unknown,
+      // deno-lint-ignore ban-types
+      error: Function,
+      message?: string,
+    ) => {
+      if (!(actual instanceof Error)) {
+        return {
+          pass: false,
+          expected: "Error Object",
+        };
+      }
+
+      if (!(actual instanceof error)) {
+        return {
+          pass: false,
+          expected: `${error.name} Object`,
+        };
+      }
+
+      if (message) {
+        return {
+          pass: actual.message === message,
+          expected: message,
+          resultActual: actual.message,
+        };
+      }
+
+      return {
+        pass: true,
+        expected: error,
+      };
+    },
+  },
+  modifierMap: jestModifierMap,
+});

handler.ts

@@ -18,9 +18,9 @@ import {
   GRAPHQL_TRANSPORT_WS_PROTOCOL,
   MessageType,
 } from "./constants.ts";
-import { resolveData } from "./resolve.ts";
 import { GraphQLExecutionArgs } from "./types.ts";
 import { validateWebSocketRequest } from "./validates.ts";
+import { parseMessage } from "./parse.ts";
 
 /**
  * @throws `AggregateError` - When GraphQL schema validation error has occurred.
@@ -61,7 +61,6 @@ export default function createHandler(
     }
 
     register(data.socket, params);
-    console.log(data.response);
     return data.response;
   };
 }
@@ -82,7 +81,7 @@ function register(
   });
 
   socket.addEventListener("message", async ({ data }) => {
-    const [message, error] = resolveData(data);
+    const [message, error] = parseMessage(data);
 
     if (!message) {
       return socket.close(

parse.ts

@@ -0,0 +1,19 @@
+import { isString, JSON } from "./deps.ts";
+import { Message } from "./types.ts";
+import { validateMessage } from "./validates.ts";
+
+export function parseMessage(
+  message: unknown,
+): [data: Message] | [data: undefined, error: SyntaxError | TypeError] {
+  if (!isString(message)) {
+    return [, TypeError("Invalid data type. Message must be string.")];
+  }
+
+  const [data, error] = JSON.parse(message);
+
+  if (error) {
+    return [, error];
+  }
+
+  return validateMessage(data);
+}

validates.ts

@@ -1,4 +1,20 @@
-import { createHttpError, HttpError, isNull, Status } from "./deps.ts";
+import {
+  createHttpError,
+  has,
+  HttpError,
+  isNull,
+  isPlainObject,
+  isString,
+  Status,
+} from "./deps.ts";
+import { MessageType } from "./constants.ts";
+import {
+  CompleteMessage,
+  GraphQLParameters,
+  Message,
+  NextMessage,
+  SubscribeMessage,
+} from "./types.ts";
 
 export function validateWebSocketRequest(req: Request): [result: true] | [
   result: false,
@@ -79,3 +95,165 @@ export function validateWebSocketRequest(req: Request): [result: true] | [
 
   return [true];
 }
+
+export function validateMessage(
+  value: unknown,
+): [data: Message] | [data: undefined, error: Error] {
+  if (!isPlainObject(value)) {
+    return [
+      ,
+      Error(
+        `Invalid data type. Must be plain object.`,
+      ),
+    ];
+  }
+
+  if (!has(value, "type")) {
+    return [, Error(`Missing field. Must include "type" field.`)];
+  }
+  if (!isString(value.type)) {
+    return [, Error(`Invalid field. "type" field of value must be string.`)];
+  }
+
+  switch (value.type) {
+    case MessageType.ConnectionInit:
+    case MessageType.ConnectionAck:
+    case MessageType.Ping:
+    case MessageType.Pong: {
+      if (has(value, "payload") && !isPlainObject(value.payload)) {
+        return [, Error(`Invalid field. "payload" must be plain object.`)];
+      }
+
+      return [value as Message];
+    }
+
+    case MessageType.Subscribe: {
+      if (!has(value, "id")) {
+        return [, Error(`Missing field. "id"`)];
+      }
+      if (!isString(value.id)) {
+        return [
+          ,
+          Error(
+            `Invalid field. "id" must be string.`,
+          ),
+        ];
+      }
+      if (!has(value, "payload")) {
+        return [, Error(`Missing field. "payload"`)];
+      }
+
+      const graphqlParametersResult = validateGraphQLParameters(value.payload);
+
+      if (!graphqlParametersResult[0]) {
+        return graphqlParametersResult;
+      }
+
+      return [
+        { ...value, payload: graphqlParametersResult[0] } as SubscribeMessage,
+      ];
+    }
+
+    case MessageType.Next: {
+      if (!has(value, "id")) {
+        return [, Error(`Missing property. "id"`)];
+      }
+      if (!has(value, "payload")) {
+        return [, Error(`Missing property. "payload"`)];
+      }
+      return [value as NextMessage];
+    }
+
+    case MessageType.Complete: {
+      if (!has(value, "id")) {
+        return [, Error(`Missing property. "id"`)];
+      }
+
+      return [value as CompleteMessage];
+    }
+
+    default: {
+      return [
+        ,
+        Error(
+          `Invalid field. "type" field of "${value.type}" is not supported.`,
+        ),
+      ];
+    }
+  }
+}
+
+export function validateGraphQLParameters(
+  value: unknown,
+): [data: GraphQLParameters] | [data: undefined, error: Error] {
+  if (!isPlainObject(value)) {
+    return [
+      ,
+      Error(
+        `Invalid field. "payload" must be plain object.`,
+      ),
+    ];
+  }
+
+  if (!has(value, "query")) {
+    return [
+      ,
+      Error(
+        `Missing field. "query"`,
+      ),
+    ];
+  }
+
+  if (!isString(value.query)) {
+    return [
+      ,
+      Error(
+        `Invalid field. "query" must be string.`,
+      ),
+    ];
+  }
+
+  if (
+    has(value, "variables") &&
+    (!isNull(value.variables) && !isPlainObject(value.variables))
+  ) {
+    return [
+      ,
+      Error(
+        `Invalid field. "variables" must be plain object or null`,
+      ),
+    ];
+  }
+  if (
+    has(value, "operationName") &&
+    (!isNull(value.operationName) && !isString(value.operationName))
+  ) {
+    return [
+      ,
+      Error(
+        `Invalid field. "operationName" must be string or null.`,
+      ),
+    ];
+  }
+  if (
+    has(value, "extensions") &&
+    (!isNull(value.extensions) && !isPlainObject(value.extensions))
+  ) {
+    return [
+      ,
+      Error(
+        `Invalid field. "extensions" must be plain object or null`,
+      ),
+    ];
+  }
+
+  const { query, ...rest } = value;
+
+  return [{
+    operationName: null,
+    variableValues: null,
+    extensions: null,
+    query,
+    ...rest,
+  }];
+}