-
-
Notifications
You must be signed in to change notification settings - Fork 15
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
V0 #33
V0 #33
Conversation
Signed-off-by: Jean <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good work! What's missing?
To do for a v0
People that might be give a feedback: @gurgunday @climba03003 @melroy89 @metcoder95 @melroy89 Maybe for the future?Initially, I wanted more features like:
But, although useful from a pedagogical perspective, take the focus away from Fastify and its core plugins. Another problem is that more features leads to more work and maintenance, and I understand now that I will not have the help I expected to have in terms of contribution on this repo. So I think it's better to have a small, quality demo repo that I can commit to maintaining over the long term, than a more ambitious project that doesn't age well. FrontendI also wanted to build a frontend with Fastify/Vite, there is this PR for it, but I am not really confident with the TypeScript support of Fastify/Vite for now. Fastify typingI would like to work on improving TypeScript on Fastify to improve this demo, to get rid of merging declaration, but I see a lot of different PRs and opinions on the subject. CLI DXThere is also this PR from @climba03003 we should review to offer a better CLI experience. |
Twice my name 😆 . I'm just one person btw. |
Update: following a post on my LinkedIn, I have a lot of people reaching me to contribute on this repo. So there is a chance that we can add more features after this PR and getting more DX feedbacks from the community 🤞 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall , LGTM, just left few comments
I should do a thorough review, especially to make sure the doc is up to date and that we are consistent in the plugin (code in general) organization. But I think I can get most of your feedback already so I change the status to RFR! |
} | ||
|
||
const allowedMimeTypes = ['image/jpeg', 'image/png'] | ||
if (!allowedMimeTypes.includes(file.mimetype)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I realize mime type is not guessed from file content, if I send one_line_csv.png
, it does work...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we use file-type
?
const fileBuffer = await file.toBuffer();
const fileType = await fileTypeFromBuffer(fileBuffer);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No opinion about this @climba03003 @gurgunday?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
After this feedback, I will merge.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd say yes, as it's a security risk. It's something I checked in one of my APIs using file-type's fromBuffer: https://github.com/Fdawgs/docsmith/blob/main/src/routes/pdf/html/index.js#L32-L51
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great the link, this is a good reason for educating about addContentTypeParser
utility.
But don't you think we should mention this security risk in the plugin documentation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There could be a mention, yeah
But it's ultimately the same idea of never trusting a client without input validation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But do we offer this kind of validation, or does a package we use offer this kind of validation?
Doesn't look like we recommend real validation for content file by reading the doc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have no very strong opinion on inspecting the file content for the content-type, most of the application only use .ext
to content-type
(e.g. Reverse Proxy, Browser, OS).
If it is an input file (batch processing), you should validate the actual content inside instead of the guessed content-type
.
If it is an image file or the others, using wrong content-type does not make changes (malicious code can still be hide inside the correct content-type and execute when parsing).
IMO, the only valid reason of guessing the content-type is you want to process the content and don't want to waste time or resources on apparently invalid one.
package.json
Outdated
@@ -9,29 +9,33 @@ | |||
}, | |||
"scripts": { | |||
"start": "npm run build && fastify start -l info dist/app.js", | |||
"build": "tsc", | |||
"build": "rm -rf ./dist && tsc", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
rm -rf
won't work for Windows users using cmd or PowerShell.
You may need to either add a script to scripts/
that cleans up dist using node:fs
's rm
and call that, or explicitly state in documentation for users to use Git Bash which comes with Git for Windows.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Or just don't use windows 🤣🤭
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is a bit hard to review, as it contain nearly 50 files changes.
Overall, LGTM. Should merge it before adding more changes.
Sorry about that, I really wanted to achieve the main backend features. |
OK, I think I am gonna merge and will create issues to fix the existing or add new features. I suggest we wait a little before communicating on it. |
Thanks all of you for your reviews ❤️ |
#31 #10 #28 #34
The aim of this PR is to produce enough features to release a v0 (backend only).
I think it's simpler launch it this way, as the code changes a lot and it's easier to get feedback loop.