chore: update serializable type validation to check for wider range of cbor types instead of json types

[NathanFlurry]

No description provided.

[NathanFlurry]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• chore: update docs #1029
• chore(example): add better-auth-external-sql example #1028
• feat: add credentials include to HTTP requests #1027
• refactor: rename ALL_PUBLIC_HEADERS to ALLOWED_PUBLIC_HEADERS #1026
• chore(manager): return internal error instead of forbidden error on auth hook #1025
• chore: update serializable type validation to check for wider range of cbor types instead of json types #1024 👈 (View in Graphite)
• chore: split out onauth type from main config #1023
• feat: uncomment better-auth example code and fix auth type #1022
• chore: update examples to new api #1021
• refactor: implement lazy loading and deterministic actor IDs #1020
• refactor: comment out logger name in log formatter #1019
• refactor: simplify server creation with createServer API #1018
• chore: update examples to use turbo #1017
• chore: update @rivetkit deps to be peer deps #1016
• chore: update default port from 6420 -> 8080 #1015
• chore: update cloudflare-workers to new persist schema #1014
• chore: update default driver to file system driver #1013
• chore: remove test driver in favor of memory driver #1012
• chore: migrate persisted data storage to cbor #1011
• fix(core): update websocket to use event listeners #1009 : 1 other dependent PR (#1010 )
• feat(core): add inline client driver to ActorContext & ActionContext #1008
• chore: update zod dependency to v3.25.67 and code formatting #1007
• fix(core): update FakeWebSocket to handle onopen assigned after open event fired #1006
• chore: rename workers -> actors #1005
• feat: sqlite #992
• chore: add rivet as a default driver #1004
• chore: rename rivetkit -> @rivetkit/core & expose @rivetkit/worker #1003
• chore(docs): update docs structure #1002
• chore: add more platform demos #1000
• ci: fix pkg-pr-new #1001
• chore: remove outdated demos #999
• chore: implement Registry.run #998
• chore: migrate to pnpm #997
• chore: disable inspector #996
• chore: rename actorcore -> rivetkit take 2 #995
• chore: remove python from release #985
• feat: update rust to 0.9.0 #984
• refactor(react): 0.9 #987
• chore: update header names to X-RivetKit-* #994
• chore: add generic types for input & auth data #993
• feat: add onAuth lifecycle hooks #991
• chore: rename "app" -> "registry" #990
• chore: remove remaining uses of "ActorCore" #989
• chore: implement inline client for all drivers #988
• chore: rename actors -> workers #986
• feat: add inline client #983
• chore: refactor client to support ClientDriver #981
• chore: rename actor-core -> @r-core/actor #980
• main

---

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• merge queue - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[graphite-app]

There's a typo in the comment: productoin should be production

Suggested change

	// IMPORTANT: Connect a real database for productoin use cases
	// IMPORTANT: Connect a real database for production use cases

Spotted by Diamond

Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

There's a typo in the property name: verifcation is missing an 'i' and should be verification

Suggested change

	// verifcation: [],
	// verification: [],

Spotted by Diamond

Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

The userId field is currently hardcoded as "TODO", which will cause all messages to share the same user identifier. This should be replaced with the actual user ID from the authentication context, likely available at c.conn.auth.user.id. Using a static value here breaks user attribution in the chat system.

Suggested change

	userId: "TODO",
	userId: c.conn.auth.user.id,

Spotted by Diamond

Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

The validation logic for objects with non-standard prototypes appears incomplete. While the code checks for the presence of a named constructor, it doesn't perform any actual validation to determine if these objects are CBOR serializable. The empty if block with only comments suggests an unfinished implementation.

This could potentially allow non-serializable objects to pass validation, leading to runtime errors when serialization is attempted. Consider either:

1. Implementing proper validation for these object types
2. Explicitly rejecting objects with non-standard prototypes
3. Documenting which specific object types with custom prototypes are supported

// Example of a more complete implementation:
if (constructor && typeof constructor.name === "string") {
  // Check if it's one of the known serializable types
  if ([KnownType1, KnownType2].includes(constructor)) {
    return true;
  }
  onInvalid?.(currentPath);
  return false;
}

Suggested change

	if (proto !== null && proto !== Object.prototype) {
	// Check if it's a known serializable object type
	const constructor = value.constructor;
	if (constructor && typeof constructor.name === "string") {
	// Allow objects with named constructors (records, named objects)
	// This includes user-defined classes and built-in objects
	// that CBOR can serialize with tag 27 or record tags
	}
	if (proto !== null && proto !== Object.prototype) {
	// Check if it's a known serializable object type
	const constructor = value.constructor;
	if (constructor && typeof constructor.name === "string") {
	// Allow objects with named constructors (records, named objects)
	// This includes user-defined classes and built-in objects
	// that CBOR can serialize with tag 27 or record tags
	const knownSerializableTypes = [
	Date,
	Map,
	Set,
	RegExp
	// Add other known serializable types here
	];
	if (knownSerializableTypes.some(type => constructor === type)) {
	return true;
	}
	onInvalid?.(currentPath);
	return false;
	}

Spotted by Diamond

Is this helpful? React 👍 or 👎 to let us know.

[graphite-app]

Merge activity

• Jun 27, 8:54 AM UTC: NathanFlurry added this pull request to the Graphite merge queue.
• Jun 27, 8:55 AM UTC: CI is running for this pull request on a draft pull request (#1030) due to your merge queue CI optimization settings.
• Jun 27, 8:56 AM UTC: Merged by the Graphite merge queue via draft PR: #1030.