Consider a NestJS controller using ValidationPipe with whitelist: true. What happens to extra properties sent in the request body that are not defined in the DTO?
import { Controller, Post, Body, ValidationPipe } from '@nestjs/common'; import { IsString } from 'class-validator'; class CreateUserDto { @IsString() name: string; } @Controller('users') export class UsersController { @Post() create( @Body(new ValidationPipe({ whitelist: true })) createUserDto: CreateUserDto ) { return createUserDto; } }
Think about what whitelist means in the context of filtering properties.
When whitelist: true is set, NestJS automatically removes any properties not defined in the DTO before passing the data to the controller. This helps keep the input clean and secure.
transform: true enabled?Given the following DTO and controller, what will be the type of age inside the create method?
import { Controller, Post, Body, ValidationPipe } from '@nestjs/common'; import { IsInt } from 'class-validator'; class CreateUserDto { @IsInt() age: number; } @Controller('users') export class UsersController { @Post() create( @Body(new ValidationPipe({ transform: true })) createUserDto: CreateUserDto ) { return typeof createUserDto.age; } }
Consider what transform: true does to incoming data types.
With transform: true, NestJS converts the incoming JSON strings to the types defined in the DTO, so age becomes a number instead of a string.
whitelist and transform globally in a NestJS app?Choose the correct way to apply ValidationPipe globally with whitelist and transform enabled.
import { ValidationPipe } from '@nestjs/common'; import { NestFactory } from '@nestjs/core'; import { AppModule } from './app.module'; async function bootstrap() { const app = await NestFactory.create(AppModule); // Apply global pipe here await app.listen(3000); } bootstrap();
Remember how to instantiate classes and pass options as an object.
The correct syntax uses new ValidationPipe with an object containing boolean options. Option B misses new, C uses wrong brackets, and A passes strings instead of booleans.
whitelist: true?Examine the code below. The controller expects whitelist: true to remove extra properties, but they remain. What is the cause?
import { Controller, Post, Body, ValidationPipe } from '@nestjs/common'; import { IsString } from 'class-validator'; class CreateUserDto { @IsString() username: string; } @Controller('users') export class UsersController { @Post() create( @Body(new ValidationPipe({ whitelist: true, skipMissingProperties: true })) createUserDto: CreateUserDto ) { return createUserDto; } }
Check how skipMissingProperties affects validation behavior.
When skipMissingProperties is true, whitelist does not remove extra properties because validation skips missing fields, affecting the filtering process.
whitelist: true and forbidNonWhitelisted: true in NestJS ValidationPipe?When both whitelist and forbidNonWhitelisted are set to true, what happens if the request body contains extra properties not in the DTO?
Consider what forbidNonWhitelisted adds on top of whitelist.
Setting forbidNonWhitelisted: true causes the validation to reject requests containing properties not in the DTO, throwing an error instead of silently removing them.