fix(server): using zod v4 and fastify were expecting different specification versions for json schemas

Author: sneko

packages/server/package.json

@@ -42,7 +42,10 @@
     "@fastify/websocket": "^7.1.3",
     "@socialgouv/e2esdk-api": "workspace:^",
     "@socialgouv/e2esdk-crypto": "workspace:^",
+    "ajv": "^8.17.1",
+    "ajv-formats": "^3.0.1",
     "dotenv": "^16.0.3",
+    "fast-uri": "^3.1.0",
     "fastify": "^4.15.0",
     "fastify-micro": "4.0.0-beta.4",
     "fastify-plugin": "^4.5.0",

packages/server/src/server.ts

@@ -1,3 +1,6 @@
+import addFormats from 'ajv-formats'
+import Ajv2020 from 'ajv/dist/2020.js'
+import fastUri from 'fast-uri'
 import { createServer as createFastifyServer } from 'fastify-micro'
 import path from 'node:path'
 import { fileURLToPath } from 'node:url'
@@ -150,6 +153,27 @@ export function createServer() {
     },
   })
 
+  // By default Fastify is using the JSON schema specification "draft 7" whereas new librairies like Zod v4
+  // by default generates schemas for the specification "2020-12", so make sure the AJV instance is for this specification
+  // (otherwise the schema parsing would not work)
+  const ajv = new Ajv2020({
+    // We reuse the initial Fastify parameters they pass to be "safe"
+    // Ref: https://fastify.dev/docs/v4.29.x/Reference/Validation-and-Serialization/#validator-compiler
+    coerceTypes: 'array',
+    useDefaults: true,
+    removeAdditional: true,
+    uriResolver: fastUri,
+    addUsedSchema: false,
+    allErrors: false, // Explicitly set allErrors to `false`. When set to `true`, a DoS attack is possible.
+  })
+
+  // Native formats like "uuid" are not supported by default, so adding them
+  addFormats(ajv)
+
+  app.setValidatorCompiler(({ schema, method, url, httpPart }) => {
+    return ajv.compile(schema)
+  })
+
   app.ready(() => {
     app.log.debug({
       msg: 'Plugins loaded',