Prohibiting arbitrary data passed to superForm.

ciscoheat · ciscoheat · commit 78970c07dbd2 · 2023-06-08T12:51:41.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+- It's not possible to send arbitrary data to `superForm` anymore, a `SuperValidated` structure is required, which is retured from `superValidate`, so in most cases this is not a problem.
 - Reverted that `message/setMessage` and `setError` will throw an error if status is lower than 400. Using a range error type check instead.
 
 ### Fixed
diff --git a/src/lib/client/index.ts b/src/lib/client/index.ts
@@ -260,7 +260,7 @@ export function superForm<
   // eslint-disable-next-line @typescript-eslint/no-explicit-any
   M = any
 >(
-  form: z.infer<UnwrapEffects<T>> | SuperValidated<T, M>,
+  form: SuperValidated<T, M>,
   options: FormOptions<UnwrapEffects<T>, M> = {}
 ): SuperForm<UnwrapEffects<T>, M> {
   type UnwrappedT = UnwrapEffects<T>;
@@ -298,7 +298,7 @@ export function superForm<
       posted: false,
       errors: {},
       data: form ?? {},
-      constraints: {} as SuperValidated<T, M>['constraints']
+      constraints: {}
     };
   } else {
     if (_formId === undefined) _formId = form.id;
@@ -335,7 +335,7 @@ export function superForm<
   if (typeof initialForm.valid !== 'boolean') {
     throw new SuperFormError(
       'A non-validation object was passed to superForm. ' +
-        "Check what's passed to its first parameter (null/undefined is allowed)."
+        "Check what's passed to its first parameter."
     );
   }
 
diff --git a/src/routes/spa/without-zod/+page.svelte b/src/routes/spa/without-zod/+page.svelte
@@ -17,6 +17,7 @@
 
   console.log('Page loaded');
 
+  // @ts-expect-error Testing backwards compatibility of sending arbitrary data.
   const { form, errors, enhance, message } = superForm<Schema>(defaultData, {
     SPA: { failStatus: 401 },
     dataType: 'json',
diff --git a/src/routes/spa/zod/+page.svelte b/src/routes/spa/zod/+page.svelte
@@ -1,6 +1,6 @@
 <script lang="ts">
   import { page } from '$app/stores';
-  import { superForm } from '$lib/client';
+  import { superForm, superValidateSync } from '$lib/client';
   import SuperDebug from '$lib/client/SuperDebug.svelte';
   import { schema } from './schema';
 
@@ -17,21 +17,24 @@
 
   console.log('Page loaded');
 
-  const { form, errors, enhance, message } = superForm(defaultData, {
-    SPA: true,
-    dataType: 'json',
-    onUpdate({ form, cancel }) {
-      if ($page.url.searchParams.has('cancel')) cancel();
-      else if (form.valid) {
-        form.message = 'Successful!';
-        form.data.random = String(Math.random()).slice(2);
-      }
-    },
-    onUpdated({ form }) {
-      console.log('onUpdated, valid:', form.valid);
-    },
-    validators: schema
-  });
+  const { form, errors, enhance, message } = superForm(
+    superValidateSync(defaultData, schema),
+    {
+      SPA: true,
+      dataType: 'json',
+      onUpdate({ form, cancel }) {
+        if ($page.url.searchParams.has('cancel')) cancel();
+        else if (form.valid) {
+          form.message = 'Successful!';
+          form.data.random = String(Math.random()).slice(2);
+        }
+      },
+      onUpdated({ form }) {
+        console.log('onUpdated, valid:', form.valid);
+      },
+      validators: schema
+    }
+  );
 
   // <SuperDebug data={{ $form, $errors }} />
 </script>
