Configure raw body handling at http foundation layer

Author: CarsonF

package.json

@@ -72,6 +72,7 @@
     "fast-safe-stringify": "^2.1.1",
     "fastest-levenshtein": "^1.0.16",
     "fastify": "^4.28.1",
+    "fastify-raw-body": "^4.3.0",
     "file-type": "^18.6.0",
     "glob": "^10.3.10",
     "got": "^14.3.0",

src/components/file/local-bucket.controller.ts

@@ -1,4 +1,5 @@
 import {
+  Body,
   Controller,
   Get,
   Headers,
@@ -9,9 +10,8 @@ import {
 } from '@nestjs/common';
 import { DateTime } from 'luxon';
 import { URL } from 'node:url';
-import rawBody from 'raw-body';
 import { InputException } from '~/common';
-import { HttpAdapter, IRequest, IResponse } from '~/core/http';
+import { HttpAdapter, IRequest, IResponse, RawBody } from '~/core/http';
 import { FileBucket, InvalidSignedUrlException } from './bucket';
 
 /**
@@ -27,14 +27,13 @@ export class LocalBucketController {
   ) {}
 
   @Put()
+  @RawBody({ passthrough: true })
   async upload(
     @Headers('content-type') contentType: string,
     @Request() req: IRequest,
+    @Body() contents: Buffer,
   ) {
-    // Chokes on json files because they are parsed with body-parser.
-    // Need to disable it for this path or create a workaround.
-    const contents = await rawBody(req);
-    if (!contents) {
+    if (!contents || !Buffer.isBuffer(contents)) {
       throw new InputException();
     }
 

src/core/http/decorators.ts

@@ -2,6 +2,7 @@ import {
   FASTIFY_ROUTE_CONFIG_METADATA,
   FASTIFY_ROUTE_CONSTRAINTS_METADATA,
 } from '@nestjs/platform-fastify/constants.js';
+import { Many } from '@seedcompany/common';
 import { createMetadataDecorator } from '@seedcompany/nest';
 import { FastifyContextConfig } from 'fastify';
 import type { RouteConstraint } from 'fastify/types/route';
@@ -17,3 +18,39 @@ export const RouteConfig = createMetadataDecorator({
   types: ['class', 'method'],
   setter: (config: FastifyContextConfig) => config,
 });
+
+/**
+ * @example
+ * ```ts
+ * @RawBody()
+ * route(
+ *   @Request('rawBody') raw: string,
+ *   @Body() contents: JSON
+ * ) {}
+ * ```
+ * @example
+ * ```ts
+ * @RawBody({ passthrough: true })
+ * route(
+ *   @Body() contents: Buffer
+ * ) {}
+ * ```
+ */
+export const RawBody = createMetadataDecorator({
+  types: ['class', 'method'],
+  setter: (
+    config: {
+      /**
+       * Pass the raw body through to the handler or
+       * just to keep the raw body in addition to regular content parsing.
+       */
+      passthrough?: boolean;
+      /**
+       * The allowed content types.
+       * Only applicable if passthrough is true.
+       * Defaults to '*'
+       */
+      allowContentTypes?: Many<string> | RegExp;
+    } = {},
+  ) => config,
+});

src/core/http/http.adapter.ts

@@ -12,9 +12,10 @@ import {
   NestFastifyApplication,
 } from '@nestjs/platform-fastify';
 import type { FastifyInstance, HTTPMethods, RouteOptions } from 'fastify';
+import rawBody from 'fastify-raw-body';
 import * as zlib from 'node:zlib';
 import { ConfigService } from '~/core/config/config.service';
-import { RouteConfig, RouteConstraints } from './decorators';
+import { RawBody, RouteConfig, RouteConstraints } from './decorators';
 import type { CookieOptions, CorsOptions, IResponse } from './types';
 
 export type NestHttpApplication = NestFastifyApplication & {
@@ -54,6 +55,9 @@ export class HttpAdapter extends PatchedFastifyAdapter {
     });
     await app.register(cookieParser);
 
+    // Only on routes we've decorated.
+    await app.register(rawBody, { global: false });
+
     app.setGlobalPrefix(config.hostUrl$.value.pathname.slice(1));
 
     config.applyTimeouts(app.getHttpServer(), config.httpTimeouts);
@@ -71,6 +75,7 @@ export class HttpAdapter extends PatchedFastifyAdapter {
 
     const config = RouteConfig.get(handler) ?? {};
     const constraints = RouteConstraints.get(handler) ?? {};
+    const rawBody = RawBody.get(handler);
 
     let version: VersionValue | undefined = (handler as any).version;
     version = version === VERSION_NEUTRAL ? undefined : version;
@@ -79,13 +84,36 @@ export class HttpAdapter extends PatchedFastifyAdapter {
       constraints.version = version;
     }
 
+    // Plugin configured to just add the rawBody property while continuing
+    // to parse the content type normally.
+    // Useful for signed webhook payload validation.
+    if (rawBody && !rawBody.passthrough) {
+      config.rawBody = true;
+    }
+
     const route: RouteOptions = {
       method,
       url,
       handler,
       ...(Object.keys(constraints).length > 0 ? { constraints } : {}),
       ...(Object.keys(config).length > 0 ? { config } : {}),
     };
+
+    if (rawBody?.passthrough) {
+      const { allowContentTypes } = rawBody;
+      const contentTypes = Array.isArray(allowContentTypes)
+        ? allowContentTypes.slice()
+        : ((allowContentTypes ?? '*') as string | RegExp);
+      return this.instance.register(async (child) => {
+        child.removeAllContentTypeParsers();
+        child.addContentTypeParser(
+          contentTypes,
+          { parseAs: 'buffer' },
+          (req, payload, done) => done(null, payload),
+        );
+        child.route(route);
+      });
+    }
     return this.instance.route(route);
   }
 

yarn.lock

@@ -5492,6 +5492,7 @@ __metadata:
     fast-safe-stringify: "npm:^2.1.1"
     fastest-levenshtein: "npm:^1.0.16"
     fastify: "npm:^4.28.1"
+    fastify-raw-body: "npm:^4.3.0"
     file-type: "npm:^18.6.0"
     glob: "npm:^10.3.10"
     got: "npm:^14.3.0"
@@ -6966,6 +6967,17 @@ __metadata:
   languageName: node
   linkType: hard
 
+"fastify-raw-body@npm:^4.3.0":
+  version: 4.3.0
+  resolution: "fastify-raw-body@npm:4.3.0"
+  dependencies:
+    fastify-plugin: "npm:^4.0.0"
+    raw-body: "npm:^2.5.1"
+    secure-json-parse: "npm:^2.4.0"
+  checksum: 10c0/3260ab2fc3483a1668442b0a2b60a3f671948d8fc6e7a811ac782cfc28d31d8f064e7b3835ca21cb542d41c4a2a7bc84dd5c18ef0c38f90d7387dd6bbb83161d
+  languageName: node
+  linkType: hard
+
 "fastify@npm:4.28.1, fastify@npm:^4.28.1":
   version: 4.28.1
   resolution: "fastify@npm:4.28.1"
@@ -11467,7 +11479,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"raw-body@npm:2.5.2":
+"raw-body@npm:2.5.2, raw-body@npm:^2.5.1":
   version: 2.5.2
   resolution: "raw-body@npm:2.5.2"
   dependencies:
@@ -11975,7 +11987,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"secure-json-parse@npm:^2.7.0":
+"secure-json-parse@npm:^2.4.0, secure-json-parse@npm:^2.7.0":
   version: 2.7.0
   resolution: "secure-json-parse@npm:2.7.0"
   checksum: 10c0/f57eb6a44a38a3eeaf3548228585d769d788f59007454214fab9ed7f01fbf2e0f1929111da6db28cf0bcc1a2e89db5219a59e83eeaec3a54e413a0197ce879e4