[Bug]: Request body is read/parsed in buildContext() before beforeHandle...

Runtime-portable framework with supply-chain-aware defaults

Brought to you by: daloyjs

#45 [Bug]: Request body is read/parsed in buildContext() before beforeHandle auth guards

Status: open

Owner: nobody

Labels: None

Updated: 3 days ago

Created: 3 days ago

Creator: Anonymous

Private: No

Originally created by: Ayush7614

Summary

On matched routes that declare a request body schema, DaloyJS reads and parses the full request body inside buildContext() before route/global beforeHandle hooks run (including bearerAuth(), rateLimit(), WAF, etc.).

Attackers can force expensive body I/O and JSON parsing on protected endpoints even when auth would reject the request immediately afterward.

This is not an auth bypass — the handler never runs. It is a resource-exhaustion / ordering issue.

Preflight

[x] This is a bug, not a security vulnerability (no credential bypass; handler not reached).
[x] Searched existing issues — no duplicate found.
[x] Reproduced on @daloyjs/core@1.0.0-beta.4 (local monorepo main).

Environment

@daloyjs/core: 1.0.0-beta.4
Runtime: Node.js v24.6.0 (app.request() in-process)
Package manager: pnpm 11.x
OS: macOS

What happened (actual)

Route with request.body schema + bearerAuth({ validate: () => false }):

Request	Status	Interpretation
POST ~400KB valid JSON + invalid bearer	403	Body accepted/parsed; auth rejected after
POST malformed JSON + invalid bearer	400	JSON parse fails before auth (403 never reached)

Dispatch order in src/app.ts:

~3443 — buildContext() (includes readBody + safeJsonParse when body schema present, ~4410–4428)
~3452 — allHooks.beforeHandle() (bearerAuth, rateLimit, …)

If requestDecompression is enabled as global onRequest, decompression also runs before routing (~442–468 in request-decompression.ts).

What was expected

Cheap guards (beforeHandle: auth, rate limit, IP fence) should run before reading/parsing large request bodies, so unauthenticated clients cannot burn CPU/bandwidth on body work.

Minimal reproduction

import { App, bearerAuth } from "@daloyjs/core";
import { z } from "zod";

const Body = z.object({ data: z.string() });

const app = new App({ env: "test", bodyLimitBytes: 512 * 1024 }).route({
  method: "POST",
  path: "/secret",
  auth: { scheme: "bearer" },
  hooks: bearerAuth({ validate: () => false }),
  request: { body: Body },
  responses: { 401: { description: "unauthorized" } },
  handler: async () => ({ status: 200 as const, body: { ok: true } }),
});

// Malformed JSON → 400 (body phase) before auth
const bad = await app.request("/secret", {
  method: "POST",
  headers: { "Content-Type": "application/json", Authorization: "Bearer x" },
  body: "{not-json",
});
console.log("malformed:", bad.status); // 400

// Large valid JSON → auth rejection, but body already read/parsed
const huge = "A".repeat(400_000);
const big = await app.request("/secret", {
  method: "POST",
  headers: { "Content-Type": "application/json", Authorization: "Bearer x" },
  body: JSON.stringify({ data: huge }),
});
console.log("large + bad token:", big.status); // 403

Suggested fix direction

Defer readBody / schema validation until after beforeHandle passes (or split a “cheap” pre-body phase for auth + rate limit). Keep unhappy-path tests proving body limits and prototype-pollution guards still reject bad payloads.

Severity

Medium — resource exhaustion on authenticated routes, not auth bypass.

Discussion

Anonymous - 3 days ago

Originally posted by: Ayush7614

cc: @devlinduldulao

If you would like to refer to this comment somewhere else in this project, copy and paste the following link: