fastify-simple-form
Fastify plugin that adds content type parser for the application/x-www-form-urlencoded and/or multipart/form-data types.
Description
Essentially a tiny wrapper around busboy, that parses application/x-www-form-urlencoded and/or multipart/form-data content types and attaches associated fields to request.body.
NB! This plugin does not handle files, these get simply discarded as described here.
Install
npm install fastify-simple-form
TypeScript
Although this package includes typings for the plugin itself, you must install ones for node.js and busboy manually:
npm install @types/node @types/busboy --save-dev
Usage & Options
Selectively enable content types to parse
fastify.register(require('fastify-simple-form'), {
multipart: true, // Enable parsing for `multipart/form-data`, default: true
urlencoded: false, // Disable parsing for `application/x-www-form-urlencoded`, default: true
});This plugin has no effect when both options above are set to false.
Options for busboy
Options for busboy can be passed in using busboyOptions property which has identical shape to busboy constructor, e.g.:
fastify.register(require('fastify-simple-form'), {
busboyOptions: {
defCharset: 'utf8',
limits: {
fieldNameSize: 100, // Max field name size (in bytes), default: 100
fieldSize: 1000000, // Max field value size (in bytes), default: 1MB
fields: 10, // Max number of non-file fields, default: Infinity
// ...
},
},
});Prototype poisoning protection
fastify.register(require('fastify-simple-form'), {
onConstructorPoisoning: 'ignore', // Possible values are 'error', 'remove' and 'ignore'
onProtoPoisoning: 'error' // Possible values are 'error', 'remove' and 'ignore'
});-
onConstructorPoisoning:-
error- throws SyntaxError when aconstructorkey is found -
remove- field will not be attached torequest.body -
ignore- field be be attached torequest.body
-
-
onProtoPoisoning:-
error- throw SyntaxError when a key matching any property name ofObject.prototype(besidesconstructor) is found -
remove- field will not be attached torequest.body -
ignore- field be be attached torequest.body
-
Both options will default to what is defined on Fastify root instance (or Fastify own defaults) for safe parsing of JSON objects. See onConstructorPoisoning and onProtoPoisoning.
Example
Given server & handler:
import Fastify from 'fastify';
import SimpleFormPlugin from 'fastify-simple-form';
const fastify = Fastify();
fastify.register(SimpleFormPlugin);
fastify.post(
'/token',
{
schema: {
body: {
type: 'object',
properties: {
username: {
type: 'string',
},
password: {
type: 'string',
},
grant_type: {
type: 'string',
enum: ['password'],
},
},
required: ['grant_type'],
},
},
},
(request, reply) => {
reply.send(request.body);
},
);
fastify.listen(3000);These requests would succeed:
curl -F "username=jon" -F "password=snow" -F "grant_type=password" \
localhost:3000/tokencurl -d "username=jon" -d "password=snow" -d "grant_type=password" \
localhost:3000/tokenResponse:
{
"username": "jon",
"password": "snow",
"grant_type": "password"
}While these won't pass the schema validation
curl -F "username=jon" -F "password=snow" -F "grant_type=refresh_token" \
localhost:3000/tokencurl -d "username=jon" -d "password=snow" -d "grant_type=refresh_token" \
localhost:3000/tokenResponse
{
"statusCode": 400,
"error": "Bad Request",
"message": "body.grant_type should be equal to one of the allowed values"
}