Throw on invalid status codes #4212
Conversation
|
I realized after opening this that Node.js does not throw on inputs like |
@jonchurch - my assertion is that |
|
Yea, I don't have any issues with this throwing on a float; we want to throw on whatever Node.js throws on as the minimum bar. If we can also help the users by also throwing on definitely nonsensical inputs (like status codes with fractions) that makes sense of course :) ! |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
|
as per the TC discussion, this is ready to merge, who is going to do that? @dougwilson , I see your red-X on this - is that still valid, or you are going to remove it and land? |
|
Thinking more about this and something bothers me. I took the approach the previous PR did, since it had been reviewed, but now I'm questioning the use of If someone monkey-patches My question has two parts:
See an example of the change in the diff: https://github.com/expressjs/express/pull/4212/files#diff-d86a59ede7d999db4b7bc43cb25a1c11L137-R142 |
Yes, as stated in #4223 (comment) , but this PR is already a breaking change, right? So I'm not sure if it's super relevant. The change itself makes sense to make, just like we call
I'm not really following on what this part of the question really is. The main reason the internals use Express' own API is especially useful for AOP type of design patterns, if the user so chooses to do them. The Node.js HTTP APIs do the same patterns as well, AFAIK. |
|
I wasn't clear. Re: breaking, I meant that someone's v4 You've answered my second question I believe. We aren't interested in making some methods private and off limits to users. Thanks, I wanted to bring up this point (re: effects of monkey-patching res.status with these changes) just so someone else could check it. Realizing that we use a lot of these helper methods internally would indicate that this change is not out of step with what is standard. |
|
Just read that linked comment and saw you did directly address the concern already 👍 |
|
Yep! I did, though, not directly address the monkey patching messing something up; that is indeed the case, but I don't think any more so than other aspects of Node.js and Javascript. I think that it is going to be possible for users to override something and cause a breakage, but I'm not sure that the effort in order to prevent such a thing is really worth it. From support experience, I think it is extremely rare for such an issue to really show up, haha. |
dougwilson
force-pushed
the
master
branch
2 times, most recently
from
eb10dba
to
340be0f
Compare
|
I think this PR should target branch https://github.com/expressjs/express/tree/5.0 and not master. |
This comment was marked as outdated.
This comment was marked as outdated.
this is the behavior of node's underlying HTTP module
This comment was marked as outdated.
This comment was marked as outdated.
| deprecate('res.status(' + JSON.stringify(code) + '): use res.status(' + Math.floor(code) + ') instead') | ||
| // Check if the status code is not an integer | ||
| if (!Number.isInteger(code)) { | ||
| throw new TypeError(`Invalid status code: ${code}. Status code must be an integer.`); |
There was a problem hiding this comment.
Should we continue JSON.stringify here so it's easier to debug a string vs number input?
There was a problem hiding this comment.
good idea, will implement this
| }; | ||
|
|
||
|
|
||
| res.status = function status(code) { |
There was a problem hiding this comment.
ty, copy paste fail at 3am
| @@ -847,7 +872,7 @@ res.redirect = function redirect(url) { | |||
| }); | |||
|
|
|||
| // Respond | |||
| this.statusCode = status; | |||
| this.status(status); | |||
There was a problem hiding this comment.
Any reason for these changes? Since it's internal, presumably we already trust and can use the fast path to just assign?
There was a problem hiding this comment.
this part of the diff is lifted from the original work to land this in v4
i didn't really consider that we should drop it
this diff in v4 was largely bc we accept status as optional param (I think) in a few public methods so wanted to lock it down
will take a closer look, open to your suggestion
There was a problem hiding this comment.
Sounds good, this case is reasonable. The other one is static but I don't have a strong opinion either way, go for it.
There was a problem hiding this comment.
I agree when we can easily have the fast path we should take it. In this case I doubt it is very meaningfully different but longer term it would be great to have better benchmarks in place to track how changes like this could impact the bigger perf picture.
| @@ -847,7 +872,7 @@ res.redirect = function redirect(url) { | |||
| }); | |||
|
|
|||
| // Respond | |||
| this.statusCode = status; | |||
| this.status(status); | |||
There was a problem hiding this comment.
I agree when we can easily have the fast path we should take it. In this case I doubt it is very meaningfully different but longer term it would be great to have better benchmarks in place to track how changes like this could impact the bigger perf picture.
Closes #3143
Will throw a
RangeErrorif status code:This aligns with Node.js' behavior of throwing if given something outside that range
Will throw a
TypeErrorif status code is:This is a choice we are making to limit the acceptable input.
Use
res.statusinternally when setting status codesthe PR also ensures we use
res.statusinternally when setting status codes, to allow us to use the validation logic internally.Test changes
I cleaned up the tests to test acceptable range, and invalid codes, and removed the
iojslogic as its not supported in v5.TODO:
500.5, but allows500.00bc it is the same to JS), throws a RangeError if we get a status code outside 1xx to 9xx rangerelated: expressjs/discussions#233