Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

V0 #33

Merged
merged 37 commits into from
Oct 21, 2024
Merged

V0 #33

merged 37 commits into from
Oct 21, 2024

Conversation

jean-michelet
Copy link
Contributor

@jean-michelet jean-michelet commented Oct 9, 2024

#31 #10 #28 #34

The aim of this PR is to produce enough features to release a v0 (backend only).
I think it's simpler launch it this way, as the code changes a lot and it's easier to get feedback loop.

@jean-michelet jean-michelet marked this pull request as draft October 9, 2024 06:44
imports/ts-node.js Outdated Show resolved Hide resolved
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good work! What's missing?

imports/ts-node.js Outdated Show resolved Hide resolved
@jean-michelet
Copy link
Contributor Author

jean-michelet commented Oct 15, 2024

good work! What's missing?

To do for a v0

  • Use tsx
  • Add a pagination to the tasks
  • I think we should be able to upload task thumbnails

People that might be give a feedback: @gurgunday @climba03003 @melroy89 @metcoder95 @melroy89

Maybe for the future?

Initially, I wanted more features like:

  • User API for Profile and Password Management
  • Registration form with email confirmation

But, although useful from a pedagogical perspective, take the focus away from Fastify and its core plugins. Another problem is that more features leads to more work and maintenance, and I understand now that I will not have the help I expected to have in terms of contribution on this repo. So I think it's better to have a small, quality demo repo that I can commit to maintaining over the long term, than a more ambitious project that doesn't age well.

Frontend

I also wanted to build a frontend with Fastify/Vite, there is this PR for it, but I am not really confident with the TypeScript support of Fastify/Vite for now.

Fastify typing

I would like to work on improving TypeScript on Fastify to improve this demo, to get rid of merging declaration, but I see a lot of different PRs and opinions on the subject.

CLI DX

There is also this PR from @climba03003 we should review to offer a better CLI experience.

@melroy89
Copy link
Contributor

melroy89 commented Oct 15, 2024

People that might be give a feedback: @gurgunday @climba03003 @melroy89 @metcoder95 @melroy89

Twice my name 😆 . I'm just one person btw.

@jean-michelet
Copy link
Contributor Author

Update: following a post on my LinkedIn, I have a lot of people reaching me to contribute on this repo. So there is a chance that we can add more features after this PR and getting more DX feedbacks from the community 🤞

Copy link
Member

@metcoder95 metcoder95 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall , LGTM, just left few comments

src/plugins/external/session.ts Outdated Show resolved Hide resolved
src/routes/api/autohooks.ts Show resolved Hide resolved
src/plugins/custom/authorization.ts Outdated Show resolved Hide resolved
src/plugins/external/cookie.ts Outdated Show resolved Hide resolved
src/routes/api/auth/index.ts Outdated Show resolved Hide resolved
src/routes/api/tasks/index.ts Outdated Show resolved Hide resolved
@jean-michelet jean-michelet marked this pull request as ready for review October 19, 2024 19:24
@jean-michelet jean-michelet requested review from melroy89, Mathieuka, metcoder95 and Fdawgs and removed request for melroy89, metcoder95 and Mathieuka October 19, 2024 19:24
@jean-michelet
Copy link
Contributor Author

jean-michelet commented Oct 19, 2024

I should do a thorough review, especially to make sure the doc is up to date and that we are consistent in the plugin (code in general) organization.

But I think I can get most of your feedback already so I change the status to RFR!

}

const allowedMimeTypes = ['image/jpeg', 'image/png']
if (!allowedMimeTypes.includes(file.mimetype)) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize mime type is not guessed from file content, if I send one_line_csv.png, it does work...

Copy link
Contributor Author

@jean-michelet jean-michelet Oct 19, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we use file-type?

const fileBuffer = await file.toBuffer();
const fileType = await fileTypeFromBuffer(fileBuffer);

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No opinion about this @climba03003 @gurgunday?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After this feedback, I will merge.

Copy link
Member

@Fdawgs Fdawgs Oct 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd say yes, as it's a security risk. It's something I checked in one of my APIs using file-type's fromBuffer: https://github.com/Fdawgs/docsmith/blob/main/src/routes/pdf/html/index.js#L32-L51

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great the link, this is a good reason for educating about addContentTypeParser utility.
But don't you think we should mention this security risk in the plugin documentation?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There could be a mention, yeah

But it's ultimately the same idea of never trusting a client without input validation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But do we offer this kind of validation, or does a package we use offer this kind of validation?

Doesn't look like we recommend real validation for content file by reading the doc.

Copy link
Member

@climba03003 climba03003 Oct 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have no very strong opinion on inspecting the file content for the content-type, most of the application only use .ext to content-type (e.g. Reverse Proxy, Browser, OS).
If it is an input file (batch processing), you should validate the actual content inside instead of the guessed content-type.
If it is an image file or the others, using wrong content-type does not make changes (malicious code can still be hide inside the correct content-type and execute when parsing).

IMO, the only valid reason of guessing the content-type is you want to process the content and don't want to waste time or resources on apparently invalid one.

package.json Outdated
@@ -9,29 +9,33 @@
},
"scripts": {
"start": "npm run build && fastify start -l info dist/app.js",
"build": "tsc",
"build": "rm -rf ./dist && tsc",
Copy link
Member

@Fdawgs Fdawgs Oct 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

rm -rf won't work for Windows users using cmd or PowerShell.
You may need to either add a script to scripts/ that cleans up dist using node:fs's rm and call that, or explicitly state in documentation for users to use Git Bash which comes with Git for Windows.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or just don't use windows 🤣🤭

Copy link
Member

@climba03003 climba03003 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is a bit hard to review, as it contain nearly 50 files changes.
Overall, LGTM. Should merge it before adding more changes.

@jean-michelet
Copy link
Contributor Author

It is a bit hard to review, as it contain nearly 50 files changes.

Sorry about that, I really wanted to achieve the main backend features.

@jean-michelet
Copy link
Contributor Author

jean-michelet commented Oct 21, 2024

OK, I think I am gonna merge and will create issues to fix the existing or add new features.
It could be great to have more reviews, especially on the security aspect.

I suggest we wait a little before communicating on it.

@jean-michelet
Copy link
Contributor Author

Thanks all of you for your reviews ❤️

@jean-michelet jean-michelet merged commit dfb66bb into fastify:main Oct 21, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants