🦋 Changeset detected

Latest commit: 06e7be7

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

All contributors have signed the CLA ✍️ ✅
_{Posted by the CLA Assistant Lite bot.}

Open in StackBlitz

npm i https://pkg.pr.new/cloudflare/capnweb@169

commit: 06e7be7

Side note: While Cap'n Web's accepted types are similar to structured clone, it's explicitly not exactly the same set. There are some types we support that structured clone doesn't, some we don't support that it does, an notably structured clone supports cycles but we emphatically refuse to.

Just pointing that out since I see a lot of references to "structured clone" here.

good point, I’ll stop calling this “structured clone.” The intent here was not to claim Cap’n Web follows structured clone exactly.

Dimitri raised that Workers RPC accepts values like ArrayBuffer, Map/Set, RegExp, and typed arrays, and downstream had to change an existing Worker RPC contract from ArrayBuffer to Uint8Array only because capnweb-validate rejected it. So I tried to make the validator target the broader RPC-compatible runtime value set rather than exactly Cap’n Web’s current serializer set.

do you agree with that direction for capnweb-validate? In other words: should validation accept Workers-RPC-supported value types and let Cap’n Web transport reject anything it still can’t serialize, or should this package enforce Cap’n Web’s exact transport surface by default?

either way, I’ll rename/remove the “structured clone” wording

Yeah it makes sense to support a superset of what both RPC implementations support, and leave it up to the RPC system to complain if it can't serialize something.

A single implemented interface or an explicit is only used to sharpen the signatures of methods that already exist on the class; extra public methods stay exposed and validated.

Hmm, I think I'd argue that if someone does explicitly write @validateRpc<T>(), then we should allow only the methods of T -- other public methods are essentially deemed "invalid" for any call. But if no <T> is specified, we should allow all public methods. This makes sense to me as saying "Validate that calls follow exactly the interface T".

pushed a commit to change the explicit type-argument behavior.

interface Api {
  greet(name: string): Promise<string>;
}

@validateRpc<Api>()
export class Service extends RpcTarget implements Api {
  async greet(name: string): Promise<string> { /* ... */ }

   // this method no in Api
  status() {
    return "email";
  }
}

in this case, Api is now the RPC surface. calling status() through the decorated/wrapped instance, including over RPC, will fail with a runtime validation error because status is not in the generated validator.

without the explicit type argument, the surface is still the class public RPC surface, so status() remains exposed and validated from the class signature

The Cap'n Web-specific code is just integration around Cap'n Web APIs. Server helpers wrap Cap'n Web boundary functions, and client helpers wrap Cap'n Web stubs because there is no class instance on the client. Workers built-in RPC clients are not wrapped client-side today; the decorated service still validates the server boundary.

Hmm, I don't understand what this means. What does it mean for things to be wrapped "client-side"? Why does it make sense for Cap'n Web but not Workers RPC?

I explained that poorly.

the "client-side wrapping" part is an extra feature for Cap'n Web clients. in Cap'n Web, client code usually creates a remote API object by calling something like newHttpBatchRpcSession<Api>(). Since that is a normal function call in user code, the plugin can rewrite it and put a validation wrapper around the returned client stub.

workers RPC client objects are different. the client usually gets them from the platform as env.SERVICE. there is no obvious function call like newHttpBatchRpcSession<Api>() for the plugin to rewrite. so this PR validates workers RPC at the decorated server boundary, but does not currently support adding an automatic client-side validation wrapper around Workers RPC bindings.

in Cap'n Web, client code usually creates a remote API object by calling something like newHttpBatchRpcSession(). Since that is a normal function call in user code, the plugin can rewrite it and put a validation wrapper around the returned client stub.

Ah so to be clear, this wrapper would validate method return values from Api, rather than arguments? (Or if the client passes a stub to the server, then it would validate method arguments on that stub?)

And you're saying capnweb-validate will "rewrite" calls to newHttpBatchRpcSession<T>() and similar functions to automatically add validation? How does this rewriting work? The type parameter is obviously needed in order to decide what validation to apply, so runtime monkey-patching can't do the job. I guess you must be using some sort of bundler plugin to do the rewrite?

I think in many cases this client-side validation is not really needed since the client fully trusts the server. So I'm not sure it's desirable to make it automatic. I would say we should give people an explicit way to add the validation, like:

let stub = validateStub<T>(newWebSocketRpcSession<T>(...))`

Then this explicit validateStub function could also be used on Workers RPC stubs.

By the way, we probably need a way to coerce a validated stub to another type, so that e.g. if an API returns RpcStub<any>, we can coerce it to a specific RpcStub<T>. Note the coercion requires removing the existing validation wrapper and then adding a new wrapper. So this may call for another function like coerceStub<T> that does this?

in Cap'n Web, client code usually creates a remote API object by calling something like newHttpBatchRpcSession(). Since that is a normal function call in user code, the plugin can rewrite it and put a validation wrapper around the returned client stub.

Ah so to be clear, this wrapper would validate method return values from Api, rather than arguments? (Or if the client passes a stub to the server, then it would validate method arguments on that stub?)

And you're saying capnweb-validate will "rewrite" calls to newHttpBatchRpcSession<T>() and similar functions to automatically add validation? How does this rewriting work? The type parameter is obviously needed in order to decide what validation to apply, so runtime monkey-patching can't do the job. I guess you must be using some sort of bundler plugin to do the rewrite?

I think in many cases this client-side validation is not really needed since the client fully trusts the server. So I'm not sure it's desirable to make it automatic. I would say we should give people an explicit way to add the validation, like:

let stub = validateStub<T>(newWebSocketRpcSession<T>(...))`

Then this explicit validateStub function could also be used on Workers RPC stubs.

By the way, we probably need a way to coerce a validated stub to another type, so that e.g. if an API returns RpcStub<any>, we can coerce it to a specific RpcStub<T>. Note the coercion requires removing the existing validation wrapper and then adding a new wrapper. So this may call for another function like coerceStub<T> that does this?

yes. today this works through the capnweb-validate unplugin/CLI build transform.

the transform uses the TypeScript checker to find calls like newHttpBatchRpcSession<Api>(), resolves Api, emits a runtime validator, and rewrites the call to an internal helper that calls the real Cap’n Web constructor and wraps the returned stub in a Proxy.
that proxy validates outgoing args and resolved return values.
runtime monkey-patching would not work because the type argument is erased.

I agree with the new direction: client-side stub validation should be explicit rather than automatic. I’ll update this PR to remove the automatic Cap’n Web client constructor rewriting. Since server-boundary validation already exists through @validateRpc(), the client-side replacement would be an explicit API like validateStub<T>(stub), with a possible coerceStub<T>() for replacing an existing wrapper. I can include that here if we agree on the API shape, or split it into a follow-up PR.

@kentonv, I pushed 153d6f6 removing the automatic client constructor rewrite.

so this PR is now only server-boundary validation via @validateRpc(). the example reflects that: the Worker is transformed, the React client uses normal Cap’n Web sessions.

for follow-up, I’d make client validation explicit:

const api = validateStub<Api>(newHttpBatchRpcSession<Api>("/api"));

and the same should work for Workers RPC stubs:

const api = validateStub<Api>(env.SERVICE);

I’d have validateStub<T>() reuse the old proxy behavior: validate args before calls through the stub, and validate resolved return values on the caller side. for normal client-to-server stubs, the return check is the main value; the arg check matters for callback/capability stubs passed over RPC.

I'd skip coerceStub<T>() for now unless we have a concrete RpcStub<any> case, and when we do, the unwrap-then-rewrap is the part to get right

that proxy validates outgoing args and resolved return values.

I don't think we ever need to validate outgoing values. This is redundant since the recipient will need to validate again on its end for security. Can we differentiate outgoing wrappers vs. incoming wrappers, where incoming wrappers validate only arguments and outgoing wrappers validate only return values?

that proxy validates outgoing args and resolved return values.

I don't think we ever need to validate outgoing values. This is redundant since the recipient will need to validate again on its end for security. Can we differentiate outgoing wrappers vs. incoming wrappers, where incoming wrappers validate only arguments and outgoing wrappers validate only return values?

Done. validation is now receive-side only: a wrapper validates what it receives, never what it sends, since the receiver re-validates anyway.

• incoming wrappers (server target, @validateRpc()): validate arguments only; returns pass through unvalidated.
• outgoing wrappers (client stub, validateStub<T>()): validate resolved returns only; outgoing args pass through, and the generated client validators omit argument validators entirely.
• capabilities follow the same rule in both directions: a stub you receive and later call through is wrapped as outgoing (validates only its returns); a capability you expose is wrapped as incoming (validates only the args called into it).

client validation is also explicit now. I dropped the automatic Cap'n Web client-constructor rewrite, users opt in with validateStub<T>(stub), which works the same in a worker calling another service