Restrict character sets for attribute values

[Magnus-Kuhn]

Readiness checklist

• I added/updated tests.
• I ensured that the PR title is good enough for the changelog.
• I labeled the PR.
• I self-reviewed the PR.

[codecov]

Codecov Report

Attention: Patch coverage is 97.39583% with 5 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
...ntent/src/attributes/types/relationship/Consent.ts	33.33%	4 Missing ⚠️
...ontent/src/attributes/types/strings/AbstractXML.ts	0.00%	1 Missing ⚠️

Files with missing lines	Coverage Δ
...es/content/src/attributes/RelationshipAttribute.ts	96.82% <100.00%> (+0.05%)	⬆️
...ntent/src/attributes/RelationshipAttributeQuery.ts	98.05% <100.00%> (+0.01%)	⬆️
...attributes/ThirdPartyRelationshipAttributeQuery.ts	96.55% <100.00%> (-3.45%)	⬇️
.../content/src/attributes/constants/CharacterSets.ts	100.00% <100.00%> (ø)
...ackages/content/src/attributes/hints/ValueHints.ts	98.10% <100.00%> (-0.56%)	⬇️
...es/content/src/attributes/hints/ValueHintsValue.ts	100.00% <100.00%> (+8.10%)	⬆️
...ges/content/src/attributes/types/AbstractString.ts	100.00% <100.00%> (ø)
...nt/src/attributes/types/address/AbstractAddress.ts	100.00% <100.00%> (ø)
...kages/content/src/attributes/types/address/City.ts	87.50% <100.00%> (+0.83%)	⬆️
...src/attributes/types/address/DeliveryBoxAddress.ts	85.48% <100.00%> (+11.50%)	⬆️
... and 33 more

... and 119 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Milena-Czierlinski]

Requires additional approval of @stnmtz once we want to merge this PR.

The base branch was changed.

[jkoenig134]

When adding documentation, note that only NFC normalized strings are considered valid.

@Magnus-Kuhn you can add docs now yourself against: nmshd/documentation#307

[jkoenig134]

Seeing what you did with #437 I think we should do all this in the controller and not on serval level. Additionally it wouldn't be a breaking change then.

[jkoenig134]

this key is only machine read, I don't see a reason why we should limit the charset here.

[Magnus-Kuhn]

My reason for validating everything was that integrators can safely copy attributes into their systems, even if they can't handle all characters

[jkoenig134]

I don't see someone not being able to "handle" this.

[Magnus-Kuhn]

The reason for creating the norm and making it mandatory was that there were non-conformant IT systems (some that weren't even using UTF8) - see https://www.it-planungsrat.de/fileadmin/beschluesse/2022/Beschluss2022-51_Umsetzung.pdf. I would not be as confident with this.

[jkoenig134]

Ehm, nope?! The main reason is that we don't want to have ✌🏼😜😜😜🤣😆🥹😅 as a display name or surname.

[Magnus-Kuhn]

Okay, then there has been some misunderstanding

[jkoenig134]

why are title and description validated?

[Magnus-Kuhn]

If a query has forbidden characters, then there would be no attribute that fits to the query

[jkoenig134]

ehm, what? this would require that title and description are validated in the attribute itself..

[Magnus-Kuhn]

They are currently validated in the Proprietary... types

[jkoenig134]

True, but also there I'd heavily argue that this is necessary.

[Magnus-Kuhn]

Seeing what you did with #437 I think we should do all this in the controller and not on serval level. Additionally it wouldn't be a breaking change then.

Doing it in serval validates requests and notifications as well

[jkoenig134]

Seeing what you did with #437 I think we should do all this in the controller and not on serval level. Additionally it wouldn't be a breaking change then.

Doing it in serval validates requests and notifications as well

But it requires you to duplicate the logic everywhere ... I don't see a reason for doing that.

[jkoenig134]

Seeing what you did with #437 I think we should do all this in the controller and not on serval level. Additionally it wouldn't be a breaking change then.

Doing it in serval validates requests and notifications as well

But it requires you to duplicate the logic everywhere ... I don't see a reason for doing that.

Additionally the error message for regex sucks. When doing that in controllers we would have the possibility to return a WAY BETTER error message than hey, your entered value does not conform vberuozfapmwjewhrubwihrieoawdkvjqnljfldwawer78f6r7w1d3wef4ads8615as, please deal with it

[Magnus-Kuhn]

Also generally the regex checks for e.g. Email occur in content - which also has a big error message. Do you suggest moving them all (and maybe the string length checks as well) into the controller?

[jkoenig134]

Also generally the regex checks for e.g. Email occur in content - which also has a big error message. Do you suggest moving them all (and maybe the string length checks as well) into the controller?

I don't know why this has to be a general thing. I see a thing that gets introduced in almost every content class, which is not ok and we should find a solution for that - and I proposed a solution.

Projecting this to "but then we should remove all regex validations" is very misplaced here.

[Magnus-Kuhn]

nmshd/documentation#309 does documentation, #448 is an alternative approach

[Magnus-Kuhn]

Closed in favour of #448