use arktype for clientside validation

2025-11-13 08:12:40 +10:00 · 2025-03-22 19:37:28 -04:00
parent 257cdacad4
commit c1272dc7a7
7 changed files with 87 additions and 79 deletions
--- a/server/api/v1/auth/signup/simple.post.ts
+++ b/server/api/v1/auth/signup/simple.post.ts
@ -4,9 +4,15 @@ import { createHashArgon2 } from "~/server/internal/security/simple";
 import { v4 as uuidv4 } from "uuid";
 import * as jdenticon from "jdenticon";
 import objectHandler from "~/server/internal/objects";
+import { type } from "arktype";
+import { writeNonLiteralDefaultMessage } from "arktype/internal/parser/shift/operator/default.ts";

-// Only really a simple test, in case people mistype their emails
-const mailRegex = /^\S+@\S+\.\S+$/;
+const userValidator = type({
+  username: "string >= 5",
+  email: "string.email",
+  password: "string >= 14",
+  "displayName?": "string | undefined",
+});

 export default defineEventHandler(async (h3) => {
  const body = await readBody(h3);
@ -27,59 +33,24 @@ export default defineEventHandler(async (h3) => {
      statusMessage: "Invalid or expired invitation.",
    });

-  const useInvitationOrBodyRequirement = (
-    field: keyof Invitation,
-    check: (v: string) => boolean
-  ) => {
-    if (invitation[field]) {
-      return invitation[field].toString();
-    }
+  const user = userValidator(body);
+  if (user instanceof type.errors) {
+    // hover out.summary to see validation errors
+    console.error(user.summary);

-    const v: string = body[field]?.toString();
-    const valid = check(v);
-    return valid ? v : undefined;
-  };
-
-  const username = useInvitationOrBodyRequirement(
-    "username",
-    (e) => e.length >= 5
-  );
-  const email = useInvitationOrBodyRequirement("email", (e) =>
-    mailRegex.test(e)
-  );
-  const password = body.password;
-  const displayName = body.displayName || username;
-
-  if (username === undefined)
    throw createError({
      statusCode: 400,
-      statusMessage: "Username is invalid. Must be more than 5 characters.",
-    });
-  if (username.toLowerCase() != username)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Username must be all lowercase",
+      statusMessage: user.summary,
    });
+  }

-  if (email === undefined)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Invalid email. Must follow the format you@example.com",
-    });
+  // reuse items from invite
+  if (invitation.username !== null) user.username = invitation.username;
+  if (invitation.email !== null) user.email = invitation.email;

-  if (!password)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Password empty or missing.",
-    });
-
-  if (password.length < 14)
-    throw createError({
-      statusCode: 400,
-      statusMessage: "Password must be 14 or more characters.",
-    });
-
-  const existing = await prisma.user.count({ where: { username: username } });
+  const existing = await prisma.user.count({
+    where: { username: user.username },
+  });
  if (existing > 0)
    throw createError({
      statusCode: 400,
@ -91,12 +62,12 @@ export default defineEventHandler(async (h3) => {
  const profilePictureId = uuidv4();
  await objectHandler.createFromSource(
    profilePictureId,
-    async () => jdenticon.toPng(username, 256),
+    async () => jdenticon.toPng(user.username, 256),
    {},
    [`internal:read`, `${userId}:write`]
  );

-  const hash = await createHashArgon2(password);
+  const hash = await createHashArgon2(user.password);
  const [linkMec] = await prisma.$transaction([
    prisma.linkedAuthMec.create({
      data: {
@ -106,9 +77,9 @@ export default defineEventHandler(async (h3) => {
        user: {
          create: {
            id: userId,
-            username,
-            displayName,
-            email,
+            username: user.username,
+            displayName: user.displayName ?? user.username,
+            email: user.email,
            profilePicture: profilePictureId,
            admin: invitation.isAdmin,
          },