Book Image

Accelerating Server-Side Development with Fastify

By : Manuel Spigolon, Maksim Sinik, Matteo Collina
Book Image

Accelerating Server-Side Development with Fastify

By: Manuel Spigolon, Maksim Sinik, Matteo Collina

Overview of this book

This book is a complete guide to server-side app development in Fastify, written by the core contributors of this highly performant plugin-based web framework. Throughout the book, you’ll discover how it fosters code reuse, thereby improving your time to market. Starting with an introduction to Fastify’s fundamental concepts, this guide will lead you through the development of a real-world project while providing in-depth explanations of advanced topics to prepare you to build highly maintainable and scalable backend applications. The book offers comprehensive guidance on how to design, develop, and deploy RESTful applications, including detailed instructions for building reusable components that can be leveraged across multiple projects. The book presents guidelines for creating efficient, reliable, and easy-to-maintain real-world applications. It also offers practical advice on best practices, design patterns, and how to avoid common pitfalls encountered by developers while building backend applications. By following these guidelines and recommendations, you’ll be able to confidently design, implement, deploy, and maintain an application written in Fastify, and develop plugins and APIs to contribute to the Fastify and open source communities.
Table of Contents (21 chapters)
Part 1:Fastify Basics
Part 2:Build a Real-World Project
Part 3:Advanced Topics

Securing the endpoints

So far, every route we declared doesn’t perform any check on the input the user passes. This isn’t good, and we, as developers, should always validate and sanitize the input of the APIs we expose. In our case, all the createTodo and updateTodo handlers are affected by this security issue. In fact, we take the request.body and pass it straight to the database.

First, to better understand the underlying issue, let’s give an example of how a user can inject undesired information into our database with our current implementation:

$ curl -X POST http://localhost:3000/todos -H "Content-Type: application/json" -d '{"title": "awesome task", "foo": "bar"}'
{"id": "6418214ad5e0cccc313cda85"}%
$ curl
{"id": "6418214ad5e0cccc313cda85", "title": "awesome task", "foo&quot...