Research
Security News
Threat Actor Exposes Playbook for Exploiting npm to Build Blockchain-Powered Botnets
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
@fastify/multipart
Advanced tools
@fastify/multipart is a Fastify plugin for handling multipart/form-data, which is commonly used for file uploads. It provides a simple and efficient way to handle file uploads in Fastify applications.
Basic File Upload
This code demonstrates a basic file upload endpoint using @fastify/multipart. The file is processed and its filename is returned in the response.
const fastify = require('fastify')();
const fastifyMultipart = require('@fastify/multipart');
fastify.register(fastifyMultipart);
fastify.post('/upload', async (req, reply) => {
const data = await req.file();
await data.toBuffer(); // Process the file
reply.send({ filename: data.filename });
});
fastify.listen(3000, err => {
if (err) throw err;
console.log('Server listening on http://localhost:3000');
});
Handling Multiple Files
This code demonstrates handling multiple file uploads in a single request using @fastify/multipart. Each file is processed in a loop.
const fastify = require('fastify')();
const fastifyMultipart = require('@fastify/multipart');
fastify.register(fastifyMultipart);
fastify.post('/upload-multiple', async (req, reply) => {
const parts = req.files();
for await (const part of parts) {
await part.toBuffer(); // Process each file
}
reply.send({ status: 'Files processed' });
});
fastify.listen(3000, err => {
if (err) throw err;
console.log('Server listening on http://localhost:3000');
});
File Validation
This code demonstrates file validation using @fastify/multipart. It restricts uploads to files of type 'image/png' and limits the file size to 1MB.
const fastify = require('fastify')();
const fastifyMultipart = require('@fastify/multipart');
fastify.register(fastifyMultipart, {
limits: {
fileSize: 1000000 // 1MB
}
});
fastify.post('/upload', async (req, reply) => {
const data = await req.file();
if (data.mimetype !== 'image/png') {
reply.code(400).send({ error: 'Only PNG files are allowed' });
return;
}
await data.toBuffer(); // Process the file
reply.send({ filename: data.filename });
});
fastify.listen(3000, err => {
if (err) throw err;
console.log('Server listening on http://localhost:3000');
});
Multer is a middleware for handling multipart/form-data, which is primarily used for uploading files. It is built on top of busboy and is widely used in Express applications. Compared to @fastify/multipart, Multer is more mature and has a larger user base, but it is designed specifically for Express.
Formidable is a Node.js module for parsing form data, especially file uploads. It is framework-agnostic and can be used with various web frameworks. Formidable offers more flexibility and lower-level control compared to @fastify/multipart, but it requires more setup and manual handling.
Busboy is a Node.js module for parsing incoming HTML form data. It is a lower-level library that @fastify/multipart and other packages like Multer are built upon. Busboy provides fine-grained control over file uploads but requires more boilerplate code compared to @fastify/multipart.
Fastify plugin to parse the multipart content-type. Supports:
Under the hood it uses @fastify/busboy
.
npm i @fastify/multipart
If you are looking for the documentation for the legacy callback-api please see here.
const fastify = require('fastify')()
const fs = require('fs')
const util = require('util')
const { pipeline } = require('stream')
const pump = util.promisify(pipeline)
fastify.register(require('@fastify/multipart'))
fastify.post('/', async function (req, reply) {
// process a single file
// also, consider that if you allow to upload multiple files
// you must consume all files otherwise the promise will never fulfill
const data = await req.file()
data.file // stream
data.fields // other parsed parts
data.fieldname
data.filename
data.encoding
data.mimetype
// to accumulate the file in memory! Be careful!
//
// await data.toBuffer() // Buffer
//
// or
await pump(data.file, fs.createWriteStream(data.filename))
// be careful of permission issues on disk and not overwrite
// sensitive files that could cause security risks
// also, consider that if the file stream is not consumed, the promise will never fulfill
reply.send()
})
fastify.listen({ port: 3000 }, err => {
if (err) throw err
console.log(`server listening on ${fastify.server.address().port}`)
})
Note about data.fields
: busboy
consumes the multipart in serial order (stream). Therefore, the order of form fields is VERY IMPORTANT to how @fastify/multipart
can display the fields to you.
We would recommend you place the value fields first before any of the file fields.
It will ensure your fields are accessible before it starts consuming any files.
If you cannot control the order of the placed fields, be sure to read data.fields
AFTER consuming the stream, or it will only contain the fields parsed at that moment.
You can also pass optional arguments to @fastify/busboy
when registering with Fastify. This is useful for setting limits on the content that can be uploaded. A full list of available options can be found in the @fastify/busboy
documentation.
fastify.register(require('@fastify/multipart'), {
limits: {
fieldNameSize: 100, // Max field name size in bytes
fieldSize: 100, // Max field value size in bytes
fields: 10, // Max number of non-file fields
fileSize: 1000000, // For multipart forms, the max file size in bytes
files: 1, // Max number of file fields
headerPairs: 2000, // Max number of header key=>value pairs
parts: 1000 // For multipart forms, the max number of parts (fields + files)
}
});
For security reasons, @fastify/multipart
sets the limit for parts
and fileSize
being 1000 and 1048576 respectively.
Note: if the file stream that is provided by data.file
is not consumed, like in the example below with the usage of pump, the promise will not be fulfilled at the end of the multipart processing.
This behavior is inherited from @fastify/busboy
.
Note: if you set a fileSize
limit and you want to know if the file limit was reached you can:
data.file.on('limit')
data.file.truncated
data.file.toBuffer()
and wait for the error to be thrownconst data = await req.file()
await pump(data.file, fs.createWriteStream(data.filename))
if (data.file.truncated) {
// you may need to delete the part of the file that has been saved on disk
// before the `limits.fileSize` has been reached
reply.send(new fastify.multipartErrors.FilesLimitError());
}
// OR
const data = await req.file()
try {
const buffer = await data.toBuffer()
} catch (err) {
// fileSize limit reached!
}
Additionally, you can pass per-request options to the req.file
, req.files
, req.saveRequestFiles
or req.parts
function.
fastify.post('/', async function (req, reply) {
const options = { limits: { fileSize: 1000 } };
const data = await req.file(options)
await pump(data.file, fs.createWriteStream(data.filename))
reply.send()
})
fastify.post('/', async function (req, reply) {
const parts = req.files()
for await (const part of parts) {
await pump(part.file, fs.createWriteStream(part.filename))
}
reply.send()
})
fastify.post('/upload/raw/any', async function (req, reply) {
const parts = req.parts()
for await (const part of parts) {
if (part.type === 'file') {
await pump(part.file, fs.createWriteStream(part.filename))
} else {
// part.type === 'field
console.log(part)
}
}
reply.send()
})
fastify.post('/upload/raw/any', async function (req, reply) {
const data = await req.file()
const buffer = await data.toBuffer()
// upload to S3
reply.send()
})
This will store all files in the operating system default directory for temporary files. As soon as the response ends all files are removed.
fastify.post('/upload/files', async function (req, reply) {
// stores files to tmp dir and return files
const files = await req.saveRequestFiles()
files[0].type // "file"
files[0].filepath
files[0].fieldname
files[0].filename
files[0].encoding
files[0].mimetype
files[0].fields // other parsed parts
reply.send()
})
If you set a fileSize
limit, it is able to throw a RequestFileTooLargeError
error when limit reached.
fastify.post('/upload/files', async function (req, reply) {
try {
const file = await req.file({ limits: { fileSize: 17000 } })
//const files = req.files({ limits: { fileSize: 17000 } })
//const parts = req.parts({ limits: { fileSize: 17000 } })
//const files = await req.saveRequestFiles({ limits: { fileSize: 17000 } })
reply.send()
} catch (error) {
// error instanceof fastify.multipartErrors.RequestFileTooLargeError
}
})
If you want to fallback to the handling before 4.0.0
, you can disable the throwing behavior by passing throwFileSizeLimit
.
Note: It will not affect the behavior of saveRequestFiles()
// globally disable
fastify.register(fastifyMultipart, { throwFileSizeLimit: false })
fastify.post('/upload/file', async function (req, reply) {
const file = await req.file({ throwFileSizeLimit: false, limits: { fileSize: 17000 } })
//const files = req.files({ throwFileSizeLimit: false, limits: { fileSize: 17000 } })
//const parts = req.parts({ throwFileSizeLimit: false, limits: { fileSize: 17000 } })
//const files = await req.saveRequestFiles({ throwFileSizeLimit: false, limits: { fileSize: 17000 } })
reply.send()
})
This allows you to parse all fields automatically and assign them to the request.body
. By default files are accumulated in memory (Be careful!) to buffer objects. Uncaught errors are handled by Fastify.
fastify.register(require('@fastify/multipart'), { attachFieldsToBody: true })
fastify.post('/upload/files', async function (req, reply) {
const uploadValue = await req.body.upload.toBuffer() // access files
const fooValue = req.body.foo.value // other fields
const body = Object.fromEntries(
Object.keys(req.body).map((key) => [key, req.body[key].value])
) // Request body in key-value pairs, like req.body in Express (Node 12+)
})
Request body key-value pairs can be assigned directly using attachFieldsToBody: 'keyValues'
. Field values will be attached directly to the body object. By default, all files are converted to a string using buffer.toString()
used as the value attached to the body.
fastify.register(require('@fastify/multipart'), { attachFieldsToBody: 'keyValues' })
fastify.post('/upload/files', async function (req, reply) {
const uploadValue = req.body.upload // access file as string
const fooValue = req.body.foo // other fields
})
You can also define an onFile
handler to avoid accumulating all files in memory.
async function onFile(part) {
// you have access to original request via `this`
console.log(this.id)
await pump(part.file, fs.createWriteStream(part.filename))
}
fastify.register(require('@fastify/multipart'), { attachFieldsToBody: true, onFile })
fastify.post('/upload/files', async function (req, reply) {
const fooValue = req.body.foo.value // other fields
})
The onFile
handler can also be used with attachFieldsToBody: 'keyValues'
in order to specify how file buffer values are decoded.
async function onFile(part) {
const buff = await part.toBuffer()
const decoded = Buffer.from(buff.toString(), 'base64').toString()
part.value = decoded // set `part.value` to specify the request body value
}
fastify.register(require('@fastify/multipart'), { attachFieldsToBody: 'keyValues', onFile })
fastify.post('/upload/files', async function (req, reply) {
const uploadValue = req.body.upload // access file as base64 string
const fooValue = req.body.foo // other fields
})
Note: if you assign all fields to the body and don't define an onFile
handler, you won't be able to read the files through streams, as they are already read and their contents are accumulated in memory.
You can only use the toBuffer
method to read the content.
If you try to read from a stream and pipe to a new file, you will obtain an empty new file.
If you enable attachFieldsToBody: 'keyValues'
then the response body and JSON Schema validation will behave similarly to application/json
and application/x-www-form-urlencoded
content types. Files will be decoded using Buffer.toString()
and attached as a body value.
fastify.register(require('@fastify/multipart'), { attachFieldsToBody: 'keyValues' })
fastify.post('/upload/files', {
schema: {
body: {
type: 'object',
required: ['myFile'],
properties: {
// file that gets decoded to string
myFile: {
type: 'string',
// validate that file contents match a UUID
pattern: '^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$'
},
hello: {
type: 'string',
enum: ['world']
}
}
}
}
}, function (req, reply) {
console.log({ body: req.body })
reply.send('done')
})
If you enable attachFieldsToBody: true
and set sharedSchemaId
a shared JSON Schema is added, which can be used to validate parsed multipart fields.
const opts = {
attachFieldsToBody: true,
sharedSchemaId: '#mySharedSchema'
}
fastify.register(require('@fastify/multipart'), opts)
fastify.post('/upload/files', {
schema: {
body: {
type: 'object',
required: ['myField'],
properties: {
// field that uses the shared schema
myField: { $ref: '#mySharedSchema'},
// or another field that uses the shared schema
myFiles: { type: 'array', items: fastify.getSchema('mySharedSchema') },
// or a field that doesn't use the shared schema
hello: {
properties: {
value: {
type: 'string',
enum: ['male']
}
}
}
}
}
}
}, function (req, reply) {
console.log({ body: req.body })
reply.send('done')
})
If provided, the sharedSchemaId
parameter must be a string ID and a shared schema will be added to your fastify instance so you will be able to apply the validation to your service (like in the example mentioned above).
The shared schema, that is added, will look like this:
{
type: 'object',
properties: {
encoding: { type: 'string' },
filename: { type: 'string' },
limit: { type: 'boolean' },
mimetype: { type: 'string' }
}
}
When sending fields with the body (attachFieldsToBody
set to true), the field might look like this in the request.body
:
{
"hello": "world"
}
The mentioned field will be converted, by this plugin, to a more complex field. The converted field will look something like this:
{
hello: {
fieldname: "hello",
value: "world",
fieldnameTruncated: false,
valueTruncated: false,
fields: body
}
}
It is important to know that this conversion happens BEFORE the field is validated, so keep that in mind when writing the JSON schema for validation for fields that don't use the shared schema. The schema for validation for the field mentioned above should look like this:
hello: {
properties: {
value: {
type: 'string'
}
}
}
If a non file field sent has Content-Type
header starting with application/json
, it will be parsed using JSON.parse
.
The schema to validate JSON fields should look like this:
hello: {
properties: {
value: {
type: 'object',
properties: {
/* ... */
}
}
}
}
If you also use the shared JSON schema as shown above, this is a full example which validates the entire field:
const opts = {
attachFieldsToBody: true,
sharedSchemaId: '#mySharedSchema'
}
fastify.register(require('@fastify/multipart'), opts)
fastify.post('/upload/files', {
schema: {
body: {
type: 'object',
required: ['field'],
properties: {
field: {
allOf: [
{ $ref: '#mySharedSchema' },
{
properties: {
value: {
type: 'object'
properties: {
child: {
type: 'string'
}
}
}
}
}
]
}
}
}
}
}, function (req, reply) {
console.log({ body: req.body })
reply.send('done')
})
We export all custom errors via a server decorator fastify.multipartErrors
. This is useful if you want to react to specific errors. They are derived from @fastify/error and include the correct statusCode
property.
fastify.post('/upload/files', async function (req, reply) {
const { FilesLimitError } = fastify.multipartErrors
})
This project is kindly sponsored by:
Licensed under MIT.
FAQs
Multipart plugin for Fastify
The npm package @fastify/multipart receives a total of 170,438 weekly downloads. As such, @fastify/multipart popularity was classified as popular.
We found that @fastify/multipart demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 0 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.
Security News
Research
A malicious npm package disguised as a WhatsApp client is exploiting authentication flows with a remote kill switch to exfiltrate data and destroy files.