fix(arktype-validator): Don't return restricted fields in error responses (#1137)

* fix(arktype-validator): add failing test for cookie header * fix(arktype-validator): add restricted fields that are not returned in the "data" field of the error * chore: add changeset
2025-04-28 08:17:34 +02:00 · 2025-04-28 08:17:34 +02:00 · 01cd896e9b
parent 928f8cd5b8
commit 01cd896e9b
3 changed files with 61 additions and 1 deletions
--- a/.changeset/silent-worms-mate.md
+++ b/.changeset/silent-worms-mate.md
@ -0,0 +1,5 @@
+---
+'@hono/arktype-validator': patch
+---
+
+Don't return restricted data fields on error responses
--- a/packages/arktype-validator/src/index.test.ts
+++ b/packages/arktype-validator/src/index.test.ts
@ -35,6 +35,17 @@ describe('Basic', () => {
    }
  )

+  app.get(
+    '/headers',
+    arktypeValidator(
+      'header',
+      type({
+        'User-Agent': 'string',
+      })
+    ),
+    (c) => c.json({ success: true, userAgent: c.header('User-Agent') })
+  )
+
  type Actual = ExtractSchema<typeof route>
  type Expected = {
    '/author': {
@ -98,6 +109,22 @@ describe('Basic', () => {
    const data = (await res.json()) as { success: boolean }
    expect(data['success']).toBe(false)
  })
+
+  it("doesn't return cookies after headers validation", async () => {
+    const req = new Request('http://localhost/headers', {
+      headers: {
+        'User-Agent': 'invalid',
+        Cookie: 'SECRET=123',
+      },
+    })
+
+    const res = await app.request(req)
+    expect(res).not.toBeNull()
+    expect(res.status).toBe(400)
+    const data = (await res.json()) as { succcess: false; errors: type.errors }
+    expect(data.errors).toHaveLength(1)
+    expect(data.errors[0].data).not.toHaveProperty('cookie')
+  })
 })

 describe('With Hook', () => {
--- a/packages/arktype-validator/src/index.ts
+++ b/packages/arktype-validator/src/index.ts
@ -10,6 +10,10 @@ export type Hook<T, E extends Env, P extends string, O = {}> = (

 type HasUndefined<T> = undefined extends T ? true : false

+const RESTRICTED_DATA_FIELDS = {
+  header: ['cookie'],
+}
+
 export const arktypeValidator = <
  T extends Type,
  Target extends keyof ValidationTargets,
@ -54,7 +58,31 @@ export const arktypeValidator = <
      return c.json(
        {
          success: false,
-          errors: out,
+          errors:
+            target in RESTRICTED_DATA_FIELDS
+              ? out.map((error) => {
+                  const restrictedFields =
+                    RESTRICTED_DATA_FIELDS[target as keyof typeof RESTRICTED_DATA_FIELDS] || []
+
+                  if (
+                    error &&
+                    typeof error === 'object' &&
+                    'data' in error &&
+                    typeof error.data === 'object' &&
+                    error.data !== null &&
+                    !Array.isArray(error.data)
+                  ) {
+                    const dataCopy = { ...(error.data as Record<string, unknown>) }
+                    for (const field of restrictedFields) {
+                      delete dataCopy[field]
+                    }
+
+                    error.data = dataCopy
+                  }
+
+                  return error
+                })
+              : out,
        },
        400
      )