Request body is typed but not checked at runtime

[GauBen]

Describe the bug

It seems that the JSON schema given to .route() is purely informational despite what the documentation suggests:

const router = createRouter().route({
  method: 'POST',
  path: '/greetings',
  schemas: {
    request: {
      json: {
        type: 'object',
        properties: {
          name: { type: 'string' },
        },
        required: ['name'],
      },
    },
  },
  handler: async (request) => {
    const { name } = await request.json();
    console.log(typeof name); // Should print "string" according to TypeScript
    return Response.json({ hello: name });
  },
});

Running the following code will not return a server error:

fetch('http://localhost:3000/greetings', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
  },
  body: '{}',
})

To Reproduce Steps to reproduce the behavior:

https://stackblitz.com/edit/stackblitz-starters-zhnkw4?file=index.ts

Run yarn fetch in another terminal :

Expected behavior

I'm expecting the request to fail with a 400 Bad Request error

Environment:

• fets: 0.6.6

Additional context

[m4rvr]

I'm pretty sure it's related to #799 and #896

[ardatan]

I don't think this is related to those issues. It seems TypeBox validation doesn't work with regular JSON schemas.

[m4rvr]

But I'm getting the same issues, even when using the 1:1 JSON schema for params from the docs:

[MrOrz]

Still reproducible on 0.8.3. User can input anything without getting Bad Request errors.

[ardatan]

As I said earlier, if you don't use TypeBox to build the schema, runtime validations won't be available. We did not want to embed an extta validation system like AJV which will considerably increase the bundle size. So if you want to have this, you need to use TypeBox.

[MrOrz]

Thanks @ardatan for the prompt response! I inserted a few console.log and found that my requests fail the Typebox type guards. So in order to use validation, it seems that Typebox is a must.

It would be great if such constraint is included in the Type-Safety & Validation document. The page only mentions about the validation and bad requests, but the description can hardly connect to TypeBox.