Input valuation on server? #751
Replies: 1 comment 1 reply
-
|
You can run whatever you want inside a server function. So I imagine you could use something like |
Beta Was this translation helpful? Give feedback.
-
|
Hi Ryan, Thanks for the reply, and for all the awesomeness in Solid and SolidStart. I'm curious if you gave any thought to taking inspiration from the way tRPC separates input validation from the actual implementation of a query or mutation? And if so, why you decided against? I can see three main benefits to having an explicit input validator alongside each server function:
I'm really interested to hear your thoughts on this if you feel like sharing them. |
Beta Was this translation helpful? Give feedback.
-
I've just been watching and reading some of your introductory material, haven't actually started trying anything out, but I'm super impressed by everything I've seen so far.
All of the server$/createServerData$/createServerAction$ magic immediately raised a question for me, and I haven't found an answer yet.
It's all very cool. I really like the simplicity of the approach and the ability to mix server code and client code that uses it together in the same module.
Coming from tRPC, one thing jumps out as missing: input valuation. Type safety is very nice to have, but it's not enough on the server, is it? Once my function gets exposed as a handler for HTTP requests, anyone can send anything they want to it. If that function makes assumptions about the types of inputs, that seems extremely dangerous.
Is this risk mitigated somehow?
Beta Was this translation helpful? Give feedback.
All reactions