Breaking: Added option to allow unknown attribute/relationship keys in request body (false by default)

Author: Bart Koelman

src/JsonApiDotNetCore/Configuration/IJsonApiOptions.cs

@@ -118,6 +118,11 @@ public interface IJsonApiOptions
         /// </summary>
         bool AllowUnknownQueryStringParameters { get; }
 
+        /// <summary>
+        /// Whether or not to produce an error on unknown attribute and relationship keys in request bodies. False by default.
+        /// </summary>
+        bool AllowUnknownFieldsInRequestBody { get; }
+
         /// <summary>
         /// Determines whether legacy filter notation in query strings, such as =eq:, =like:, and =in: is enabled. False by default.
         /// </summary>

src/JsonApiDotNetCore/Configuration/JsonApiOptions.cs

@@ -74,6 +74,9 @@ public sealed class JsonApiOptions : IJsonApiOptions
         /// <inheritdoc />
         public bool AllowUnknownQueryStringParameters { get; set; }
 
+        /// <inheritdoc />
+        public bool AllowUnknownFieldsInRequestBody { get; set; }
+
         /// <inheritdoc />
         public bool EnableLegacyFilterNotation { get; set; }
 

src/JsonApiDotNetCore/Serialization/BaseDeserializer.cs

@@ -19,18 +19,21 @@ namespace JsonApiDotNetCore.Serialization
     public abstract class BaseDeserializer
     {
         private protected static readonly CollectionConverter CollectionConverter = new();
+        private readonly IJsonApiOptions _options;
 
         protected IResourceGraph ResourceGraph { get; }
         protected IResourceFactory ResourceFactory { get; }
         protected int? AtomicOperationIndex { get; set; }
 
-        protected BaseDeserializer(IResourceGraph resourceGraph, IResourceFactory resourceFactory)
+        protected BaseDeserializer(IResourceGraph resourceGraph, IResourceFactory resourceFactory, IJsonApiOptions options)
         {
             ArgumentGuard.NotNull(resourceGraph, nameof(resourceGraph));
             ArgumentGuard.NotNull(resourceFactory, nameof(resourceFactory));
+            ArgumentGuard.NotNull(options, nameof(options));
 
             ResourceGraph = resourceGraph;
             ResourceFactory = resourceFactory;
+            _options = options;
         }
 
         /// <summary>
@@ -123,6 +126,8 @@ private IIdentifiable SetAttributes(IIdentifiable resource, IDictionary<string,
             {
                 if (attributeValues.TryGetValue(attr.PublicName, out object newValue))
                 {
+                    attributeValues.Remove(attr.PublicName);
+
                     if (attr.Property.SetMethod == null)
                     {
                         throw new JsonApiSerializationException("Attribute is read-only.", $"Attribute '{attr.PublicName}' is read-only.",
@@ -148,6 +153,14 @@ private IIdentifiable SetAttributes(IIdentifiable resource, IDictionary<string,
                 }
             }
 
+            if (!_options.AllowUnknownFieldsInRequestBody && attributeValues.Any())
+            {
+                string attributeName = attributeValues.First().Key;
+
+                throw new JsonApiSerializationException("Request body includes unknown attribute.", $"Attribute '{attributeName}' does not exist.",
+                    atomicOperationIndex: AtomicOperationIndex);
+            }
+
             return resource;
         }
 
@@ -160,24 +173,26 @@ private IIdentifiable SetAttributes(IIdentifiable resource, IDictionary<string,
         /// <param name="relationshipValues">
         /// Relationships and their values, as in the serialized content.
         /// </param>
-        /// <param name="relationshipAttributes">
+        /// <param name="relationships">
         /// Exposed relationships for <paramref name="resource" />.
         /// </param>
         private IIdentifiable SetRelationships(IIdentifiable resource, IDictionary<string, RelationshipObject> relationshipValues,
-            IReadOnlyCollection<RelationshipAttribute> relationshipAttributes)
+            IReadOnlyCollection<RelationshipAttribute> relationships)
         {
             ArgumentGuard.NotNull(resource, nameof(resource));
-            ArgumentGuard.NotNull(relationshipAttributes, nameof(relationshipAttributes));
+            ArgumentGuard.NotNull(relationships, nameof(relationships));
 
             if (relationshipValues.IsNullOrEmpty())
             {
                 return resource;
             }
 
-            foreach (RelationshipAttribute attr in relationshipAttributes)
+            foreach (RelationshipAttribute attr in relationships)
             {
                 bool relationshipIsProvided = relationshipValues.TryGetValue(attr.PublicName, out RelationshipObject relationshipData);
 
+                relationshipValues.Remove(attr.PublicName);
+
                 if (!relationshipIsProvided || !relationshipData.Data.IsAssigned)
                 {
                     continue;
@@ -193,6 +208,14 @@ private IIdentifiable SetRelationships(IIdentifiable resource, IDictionary<strin
                 }
             }
 
+            if (!_options.AllowUnknownFieldsInRequestBody && relationshipValues.Any())
+            {
+                string relationshipName = relationshipValues.First().Key;
+
+                throw new JsonApiSerializationException("Request body includes unknown relationship.", $"Relationship '{relationshipName}' does not exist.",
+                    atomicOperationIndex: AtomicOperationIndex);
+            }
+
             return resource;
         }
 

src/JsonApiDotNetCore/Serialization/JsonConverters/ResourceObjectConverter.cs

@@ -28,6 +28,8 @@ public sealed class ResourceObjectConverter : JsonObjectConverter<ResourceObject
 
         public ResourceObjectConverter(IResourceGraph resourceGraph)
         {
+            ArgumentGuard.NotNull(resourceGraph, nameof(resourceGraph));
+
             _resourceGraph = resourceGraph;
         }
 
@@ -206,6 +208,7 @@ private static IDictionary<string, object> ReadAttributes(ref Utf8JsonReader rea
                         }
                         else
                         {
+                            attributes.Add(attributeName!, null);
                             reader.Skip();
                         }
 

src/JsonApiDotNetCore/Serialization/RequestDeserializer.cs

@@ -29,12 +29,11 @@ public class RequestDeserializer : BaseDeserializer, IJsonApiDeserializer
 
         public RequestDeserializer(IResourceGraph resourceGraph, IResourceFactory resourceFactory, ITargetedFields targetedFields,
             IHttpContextAccessor httpContextAccessor, IJsonApiRequest request, IJsonApiOptions options, IResourceDefinitionAccessor resourceDefinitionAccessor)
-            : base(resourceGraph, resourceFactory)
+            : base(resourceGraph, resourceFactory, options)
         {
             ArgumentGuard.NotNull(targetedFields, nameof(targetedFields));
             ArgumentGuard.NotNull(httpContextAccessor, nameof(httpContextAccessor));
             ArgumentGuard.NotNull(request, nameof(request));
-            ArgumentGuard.NotNull(options, nameof(options));
             ArgumentGuard.NotNull(resourceDefinitionAccessor, nameof(resourceDefinitionAccessor));
 
             _targetedFields = targetedFields;

test/JsonApiDotNetCoreTests/IntegrationTests/AtomicOperations/Creating/AtomicCreateResourceTests.cs

@@ -6,8 +6,10 @@
 using System.Threading.Tasks;
 using FluentAssertions;
 using FluentAssertions.Extensions;
+using JsonApiDotNetCore.Configuration;
 using JsonApiDotNetCore.Serialization.Objects;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
 using TestBuildingBlocks;
 using Xunit;
 
@@ -28,6 +30,9 @@ public AtomicCreateResourceTests(IntegrationTestContext<TestableStartup<Operatio
             testContext.UseController<LyricsController>();
             testContext.UseController<MusicTracksController>();
             testContext.UseController<PlaylistsController>();
+
+            var options = (JsonApiOptions)testContext.Factory.Services.GetRequiredService<IJsonApiOptions>();
+            options.AllowUnknownFieldsInRequestBody = false;
         }
 
         [Fact]
@@ -211,10 +216,57 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
             });
         }
 
+        [Fact]
+        public async Task Cannot_create_resource_with_unknown_attribute()
+        {
+            // Arrange
+            string newName = _fakers.Playlist.Generate().Name;
+
+            var requestBody = new
+            {
+                atomic__operations = new[]
+                {
+                    new
+                    {
+                        op = "add",
+                        data = new
+                        {
+                            type = "playlists",
+                            attributes = new
+                            {
+                                doesNotExist = "ignored",
+                                name = newName
+                            }
+                        }
+                    }
+                }
+            };
+
+            const string route = "/operations";
+
+            // Act
+            (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecutePostAtomicAsync<Document>(route, requestBody);
+
+            // Assert
+            httpResponse.Should().HaveStatusCode(HttpStatusCode.UnprocessableEntity);
+
+            responseDocument.Errors.Should().HaveCount(1);
+
+            ErrorObject error = responseDocument.Errors[0];
+            error.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
+            error.Title.Should().Be("Failed to deserialize request body: Request body includes unknown attribute.");
+            error.Detail.Should().Be("Attribute 'doesNotExist' does not exist.");
+
+            responseDocument.Meta["requestBody"].ToString().Should().NotBeNullOrEmpty();
+        }
+
         [Fact]
         public async Task Can_create_resource_with_unknown_attribute()
         {
             // Arrange
+            var options = (JsonApiOptions)_testContext.Factory.Services.GetRequiredService<IJsonApiOptions>();
+            options.AllowUnknownFieldsInRequestBody = true;
+
             string newName = _fakers.Playlist.Generate().Name;
 
             var requestBody = new
@@ -261,10 +313,61 @@ await _testContext.RunOnDatabaseAsync(async dbContext =>
             });
         }
 
+        [Fact]
+        public async Task Cannot_create_resource_with_unknown_relationship()
+        {
+            // Arrange
+            var requestBody = new
+            {
+                atomic__operations = new[]
+                {
+                    new
+                    {
+                        op = "add",
+                        data = new
+                        {
+                            type = "lyrics",
+                            relationships = new
+                            {
+                                doesNotExist = new
+                                {
+                                    data = new
+                                    {
+                                        type = Unknown.ResourceType,
+                                        id = Unknown.StringId.Int32
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+            };
+
+            const string route = "/operations";
+
+            // Act
+            (HttpResponseMessage httpResponse, Document responseDocument) = await _testContext.ExecutePostAtomicAsync<Document>(route, requestBody);
+
+            // Assert
+            httpResponse.Should().HaveStatusCode(HttpStatusCode.UnprocessableEntity);
+
+            responseDocument.Errors.Should().HaveCount(1);
+
+            ErrorObject error = responseDocument.Errors[0];
+            error.StatusCode.Should().Be(HttpStatusCode.UnprocessableEntity);
+            error.Title.Should().Be("Failed to deserialize request body: Request body includes unknown relationship.");
+            error.Detail.Should().Be("Relationship 'doesNotExist' does not exist.");
+
+            responseDocument.Meta["requestBody"].ToString().Should().NotBeNullOrEmpty();
+        }
+
         [Fact]
         public async Task Can_create_resource_with_unknown_relationship()
         {
             // Arrange
+            var options = (JsonApiOptions)_testContext.Factory.Services.GetRequiredService<IJsonApiOptions>();
+            options.AllowUnknownFieldsInRequestBody = true;
+
             var requestBody = new
             {
                 atomic__operations = new[]