In another article we’ll look at the things that are on the move and planned for 2019 but first, here is what happened since the fall update.

Feathers Core

The crow situation

People love big major version number announcements. Unfortunately, as we mentioned before, this doesn’t really play well with either Semantic Versioning (where even the tiniest breaking change requires a major version update) or a modular system like Feathers where you can pick-and-choose the components you want to use. This is why Feathers is using bird names like Auk, Buzzard and the upcoming Crow for its release names. Because Feathers is so modular however, that doesn’t really mean you have wait for a big release announcement to upgrade individual modules. If you have an existing Feathers application it will actually be easier to make those upgrades, like the database adapters below, as they are released.

Until it is announced, the Crow release means the latest published version of the modules in the @feathersjs namespace and the database adapters.

New docs

That said, we did start migrating the documentation for the next version away from GitBook to Vuepress, the static site documentation engine made by the crew over at VueJS. You can find the work in progress at:

Aside from the migration guide which will continuously be updated with migration instructions for newly released modules and features, the content is currently the same as the main documentation. It also comes with a new Cookbook section where we’d like to collect common Feathers patterns and recipes. For further discussion and to collect ideas for recipes, see this issue. If you have some design and styling ideas, feel free to join the discussion in this issue.

Database adapter updates

Having features enabled by default can make things easier for beginners but there is also a risk of exposing unintended functionality. The latest versions of the Feathers database adapters include some important security and usability updates that require to explicitly enable certain functionality that was previously available by default. The release versions are:

Although there may be breaking changes, upgrading is highly recommended since it will make your Feathers application more secure by default. You can find the full migration details in the DB adapter migration guide. Here is what changed:

Querying by id

All database adapters now support additional query parameters for get and remove, update and patch with an id. If the record does not match that query, even if the id is valid, a NotFound error will be thrown. This is very useful for the common case of e.g. restricting requests to the user or an organization the same way as you already would in a find method.

Previously this required making an additional get request first.

Hook-less service methods

Service methods can now be called without any hooks by adding a _in front of the method name as _find, _get, _create, _patch, _update and _remove. This can be useful if you need the raw data from the service and don't want to trigger any of its hooks. Note that these methods are only available in a Feathers database adapter and not for any other service unless it has been implemented explicitly.

Multi updates

Creating, updating or removing multiple records at once has always been part of the Feathers adapter specification and documented in the adapter common API but it appears to have been something that was often overlooked.

This means applications may accept requests that are not anticipated (like deleting or creating multiple records at once) and in the worst case be open to malicious request. Additionally, it could also lead to unexpected data in a hook that require special cases (like context.data or context.result being an array).

Now, multiple create, patch and remove calls (with the id value set to null) are disabled by default and have to be enabled explicitly by setting the multi option when initializing the adapter service:

When using the multi option, hooks have to make sure to handle those cases and queries have to be secured accordingly (e.g. using feathers-authentication-hooks).

Whitelisting

Some database adapters allowed additional query parameters outside the official Feathers query syntax. To reduce the risk of allowing malicious queries only the standard query syntax is now allowed.

Non-standard query parameters (any query property starting with a $) will now throw an error. To allow them, they have to be explicitly whitelisted using the whitelist option:

As with multi updates, it is important to consider the potential side effects of a whitelisted query parameter.

Root level services

A common request, especially when it comes to a more microservice oriented architecture was the ability to register a service at the root level. As of @feathersjs/feathers v3.3.0 [changelog] and the latest transport(@feathersjs/socketio or @feathersjs/express) this is now possible by giving a service the / path like this:

Feathers+

The new CLI+ is similar to the current cli in that it uses the same commands and asks similar questions but also:

• Generates either JavaScript or TypeScript code; with semicolons or without.
• Converts DB-agnostic JSON-schema models to the DB model each service is currently configured for.
• Generates quality fake data and optionally seeds your DB with it.
• Generates unit and client/server tests for your hooks, services and authentication.
• Generates the resolvers needed for your GraphQL Query interface. These resolvers use batch-loaders for x10 performance.
• Interoperates with Apollo.
• Populates your records almost automatically.
• Regenerates you app without losing changes you’ve made. You stay up-to-date with enhancements and fixes.

A transition from the current @feathersjs/cli to the CLI+ is planned for the final Crow release.

feathers-hooks-common

feathers-hooks-common is a collection of useful hooks that a Feathers application usually needs.

• TypeScript typings have been added (j2L4e).
• TypeScript IDE interface displays include links to the documentation.
• The new fgraphql populate hook allows you to leverage the GraphQL resolvers generated by cli+ so you can populate records without writing code.
• softDelete2 improves the functionality of the now deprecated softDelete.
• dialablePhoneNumber uses a version of Google’s Android libphonenumberlibraryfor parsing, formatting, and validating international phone numbers.
• alterItems now works with async callback functions.
• keepInArray and keepQueryInArray keep selected fields within nested arrays.

authentication-local-management

The current feathers-authentication-management is in the process of being rewritten as authentication-local-management. The new version

• Is easier to configure,
• Is more customizable via hooks and plug-ins,
• Supports SMS as well as email push notifications,
• Has features to support multi factor authentication which you can use in two factor authentication (2FA), sign-in to new devices, or sign-in after an extended period,
• Allows users to invite others,
• Supports multiple password-like fields, e.g. PIN, badge#,
• Can prevent reuse of passwords via password history,
• Supports password hashing using other than hashPassword().

Articles

As always, many thanks to everyone for the great contributions over the last little while and to a great 2019! ❤️