fix: skip safe methods

[johaven]

Checklist

• run npm run test
• tests and/or benchmarks are included
• documentation is changed or added
• commit message and code follows the Developer's Certification of Origin
  and the Code of conduct

Fix issue: #166

This PR introduce the ability to pass the protected methods as module options

[Uzlopak]

I dislike this approach. You basically add the check that the method is in the array on every request. But this is not necessary to be done on every request. You could hook onRoute and if the route is a protected route you add csrfProtection as preParsing hook to the routeObject of the onRoute hook.

[johaven]

@Uzlopak I'm not very familiar with the 'onRoute' hook yet (and I hadn't thought about it :p)

Is the hook triggered after plugins registration ?

[Uzlopak]

It would be a large text to describe what i mean.

See following code pieces:
https://github.com/fastify/fastify-response-validation/blob/daecd7ce0b352e002da5a05d0dbd33acd85fa4d8/index.js#L35

1. add a new option like autoProtect for the plugin level and csrfProtect on the route level (shitty name but just to demonstrate) which can be set to true and hook option, which can be a lifecycle hook like onRequest or preParse.
2. about in line 63 add following code

  fastify.addHook('onRoute', onRoute)

Now we need the onRoute Code which we for simplicity put into the plugin function to access the pluginOPtions opts

  function onRoute (routeOpts) {
    const { hook = 'preValidation' } = opts // <-- pluginOptions
    if (routeOpts.csrfProtect || (opts.autoProtect && opts.protectedMethods.includes(routeOpts.method)) {
      routeOpts[hook] = routeOpts[hook] || []
      routeOpts[hook].push(csrfProtection)
    }
  }

If you know your csrf token is in body, you need to parse it, so you would set the hook to preValidation but if you know the token is in the header, you can already process the request in the onRequest stage, as the headers should be there already, so you would set the hook to onRequest.

And of course validate if hook is a valid lifecycle hook and keep into account that onRequest and preValidation have the arity of 3 but preParsing has the arity of 4. So you could do it like here

This should help you to get atleast a mvp. there are probably some improvements possible to improve the DX.

[Fdawgs]

I don't think this is a good idea as @Uzlopak suggested. This could probably be a line in the readme stating that you don't need this for safe methods, and to use route encapsulation so it doesn't apply to safe methods on routes.

[johaven]

You can close this PR, i don't use this lib on my side, it was just to help but right now I don't have a lot of time :)