FR, Bug Report - Guard chaining

[Heniker]

What is the problem this feature would solve?

Elysia handles multiple .guard calls very strangely.

See the following example:

import { Elysia, t } from 'elysia'

const OnlyStrongPassword = new Elysia()
  .guard({
    body: t.Object({ password: t.Literal('strong-password') }, { additionalProperties: true }),
    beforeHandle() {
      console.log('Checking password...')
    },
  })
  .as('plugin')

const app = new Elysia()
  .use(OnlyStrongPassword)
  .guard({
    body: t.Object({ username: t.Literal('Jhon') }, { additionalProperties: true }),
    beforeHandle() {
      console.log('Checking name...')
    },
  })
  .post('/test', ({ body }) => {
    return 'Hello ' + body.username
  })
  .listen(3000)

const response = await app
  .handle(
    new Request('http://localhost/test', {
      // notice how password is wrong
      body: JSON.stringify({ password: 'weak-password', username: 'Jhon' }),
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
    })
  )
  .then((res) => res.text())

console.log(response)

This logs:

Checking password...
Checking name...
Hello Jhon

Despite provided password being wrong.

What is the feature you are proposing to solve the problem?

Elysia already partially handles combining multiple guards - e.g. it's possible to use query in one guard and body in the other correctly.

The proposed solution is to allow .guard chaining by turning resulting value into intersection.

Using t.Intersect instead of replacing value in mergeHook function worked fine for my use-case.

elysia/src/utils.ts

Line 200 in caaf17c

export const mergeHook = (

The types in MergeSchema must also be updated.

elysia/src/types.ts

Line 543 in caaf17c

export interface MergeSchema<

What alternatives have you considered?

Throw Error or warn about chaining multiple .guard calls.

[hisamafahri]

I think it's expected as far as my knowledge goes.
You need to move the username guard to be the same level as the password guards, a plugin, to merge it together (instead of replacing it).

You can try this:

import { Elysia, t } from "elysia";

const passwordGuard = new Elysia().guard({
  body: t.Object({
    password: t.Literal("secure-password"),
  }, { additionalProperties: true }),
}).as('plugin')

const bodyGuard = new Elysia()
  .guard({
    body: t.Object({
      name: t.Literal("John"),
    }, { additionalProperties: true }),
  }).as('plugin')

const app = new Elysia()
  .use(bodyGuard)
  .use(passwordGuard)
  .post("/hello", ({ body }) => {
    return body;
  });

app.listen(9000);

const response = await app
  .handle(
    new Request("http://localhost:9000/hello", {
      body: JSON.stringify({ password: "weak-password", username: "Jhon" }),
      method: "POST",
      headers: { "Content-Type": "application/json" },
    }),
  )
  .then((res) => res.text());

console.log(response);

It should return something like this:

{
  "type": "validation",
  "on": "body",
  "summary": "Expected 'secure-password'",
  "property": "/password",
  "message": "Expected 'secure-password'",
...

[Heniker]

No, that doesn't really work.

const response = await app
  .handle(
    new Request("http://localhost:9000/hello", {
      // now username is wrong, but request still passes
      body: JSON.stringify({ password: "secure-password", username: "Bad Username" }),
      method: "POST",
      headers: { "Content-Type": "application/json" },
    }),
  )
  .then((res) => res.text());

console.log(response);

[SaltyAom]

Hi, this happens because Elysia overrides the properties of a hook when it is a type (in this case "body").

This means it only checks if the username is valid.