The validation for type checking must be changed

[samislam]

I am having extra work to do on the front end because of missing built-in features which should be supported in Mongoose by default.

Request [1]: Either allow all the fields to accept empty strings as a signal to reset the field to empty, or disallow it completely.

Take this example:

I have the following schema:

const mySchema = new mongoose.Schema({
   name: String,
   room: {
      type: mongoose.Schema.ObjectId,
   },
   age: Number
})

And on the web front-end, I have the following inputs in an Update User Form (used to update a user):

click here to copy the code 🗒

I want to support the following features:
[] All the fields are optional to be filled.
[] If the field is empty, this means that the user wants to reset the field to empty, (ex: name: "Jamaal" ---> name: "")

Now, after testing that, the following happens:

Test 1:

Form values:

JSON:

{
  "name": "Joe Nim",
  "age": "10",
  "room": "507f1f77bcf86cd799439011"
}

Result:

as expected. the user document has been updated to hold the values in the JSON object.

Test 2:

Form values:

JSON:

{
  "name": "",
  "age": "10",
  "room": "507f1f77bcf86cd799439011"
}

Result:

The user document's name field has been updated to become an empty string in the database.

Test 3:

Form values:

JSON:

{
  "name": "",
  "age": "",
  "room": "507f1f77bcf86cd799439011"
}

Result:

The user document's name and age fields have been updated to become empty strings in the database.

Test 4:

Form values:

JSON:

{
  "name": "",
  "age": "",
  "room": ""
}

Result:

Cast Error: Expected an Object Id but got a string instead.

Now, If I had to fix this problem and allow removing the room field, I would do that on the front-end as follows:

function formSubmit(e){
  e.preventDefault()
  let formValues = new FormData(e.target)
  formValues = Object.fromEntries(formValues)
  if(formValues.room === "") formValues.room = null
}

• But why do I have to do that, I believe that should be handled somehow by Mongoose.

Request [2]: Prevent allowing the Schema types String & Number (idk, and the others?) to accept null as a value.

Take the following example:

I have the following schema:

const mySchema = new mongoose.Schema({
blogPost: String
})

and I have the following express routes

app.get('/posts/:postId', async (req, res, next)=>{
  const doc = Posts.findById(req.params.postId)
  res.status(200).json({
     data: doc
  })
})
app.patch('/posts/:postId', async (req, res, next)=>{
  const updatedDoc = Posts.findByIdAndUpdate(req.params.id, req.body, { runValidators: true, new: true })
  res.status(200).json({
     data: updatedDoc
  })
})

Let's pretend that I'm a pro admin who likes to write his blog posts using postman instead of the front-end webpage and I wrote the following in the body of the PATCH request:

And lets say that on the front-end, the code which is used to view the post looks as follows:

<div class="view">   <!-- blog post content goes here --->   </div>
<script>
const view = document.querySelector('.view')
async function fetchPost(postId){
  const { data: post } = axios.get(`https://api.example.com/posts/${postId}`)
  const content = post.blogPost.capitalize() // 👈 here's the problem 💣
  view.innerText = content
}
// on page load
await fetchPost("507f191e810c19729de860ea")
</script>

In this example, the admin used Postman to perform an XSS attack without noticing, and now the front-end is having problems rendering the blog post, because it's of type null and .capitalize() is not a function on null values, it can only be used on strings.

This means that we need to find a better way to signal that we want to reset this field to empty from the front end.

[vkarpov15]

So what is the question here? Is the issue just that passing an empty string '' to a property that expects an ObjectId causes a CastError, or is there something else?

[samislam]

Yes. Just like that

[vkarpov15]

@samislam here's an example of how you can convert empty string to null for ObjectIds using custom casting. Does this help?

'use strict';

const mongoose = require('mongoose');

// Special case for casting empty strings '': convert
// '' to `null` for ObjectIds
const castObjectId = mongoose.ObjectId.cast();
mongoose.ObjectId.cast(v => {
  if (v === '') {
    return null;
  }
  return castObjectId(v);
});

run().catch(err => {
  console.log(err);
  process.exit(-1);
});

async function run() {
  await mongoose.connect('mongodb://localhost:27017/test');

  const schema = new mongoose.Schema({ testId: mongoose.ObjectId });
  const Test = mongoose.model('Test', schema);

  const { _id } = await Test.create({ testId: '' });

  const doc = await Test.findById(_id);
  console.log(doc);
}