feat: extend complex formdata support to StandardSchema

[Teyik0]

My precedent works on complex formdata was not complete, this one should end my journey around complex formdata and put Elysia in a good state regarding limited support on this on others frameworks.

This PR has two primary goals:

1. ✅ Multipart FormData support for Standard Schema (previously TypeBox-only)
2. ✅ Nested file upload support for both TypeBox and Standard Schema (previously impossible even with TypeBox)

Feature
Clients can now combine JSON stringify with dot notation to optimize bandwidth and support complex nested structures with files:

example ->

// Client - Mixed notation approach
const formData = new FormData()

// Pure dot notation
formData.append('user.name', 'John')
formData.append('user.avatar', fileBlob)
formData.append('user.photos[0]', photo1)
formData.append('user.photos[1]', photo2)

// Mixed: JSON stringify + dot notation for files
formData.append(
  'images.update[0]',
  JSON.stringify({
    id: '123',
    altText: 'an image'
  })
)
// Files merged intelligently into the object
formData.append('images.update[0].img', Bun.file('image.jpg'))

// Server receives unified structure:
// {
//   user: { name: 'John', avatar: File, photos: [File, File] },
//   images: { update: [{ id: '123', altText: 'an image', img: File }] }
// }
// Then validation can happen

No breaking change, fully tested with complex example (maybe too much).
I think that all edge case are handled.
Next-step (if review ok), update Eden to handle nested image as well.

Summary by CodeRabbit

• New Features

  • Added an example demonstrating nested multipart file uploads using dot-notation keys and multiple endpoints for common nested patterns.

• Improvements

  • More robust form-data parsing for complex nested structures, including array notation support.
  • Added defenses to prevent prototype-pollution via form keys.

• Tests

  • Substantially expanded test coverage for nested multipart forms, mixed file/field payloads, coercion, and security scenarios.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Adds nested/dot-notation multipart/form-data parsing and normalization, prototype-pollution guards, adapter/handler integration for nested arrays/objects and files, a new example, and extensive tests for nested form handling and security.

Changes

Cohort / File(s)	Summary
Example Usage example/nested-multipart-files.ts	New example demonstrating nested multipart file uploads via dot-notation (multiple endpoints: /user/profile, /user/portfolio, /post) and client usage comments.
Adapter (web-standard) src/adapter/web-standard/index.ts	Adds dangerous key guards, parseArrayKey, enhanced formData parsing, JSON/string merging with File(s), and safe nested assignment logic to prevent prototype pollution.
Dynamic Handler src/dynamic-handle.ts	Introduces ARRAY_INDEX_REGEX, DANGEROUS_KEYS, isDangerousKey, parseArrayKey, parseObjectString, setNestedValue, normalizeFormValue; routes multipart/form-data through normalization and supports nested dot/array notation and async decode unwrapping.
Type System Formatting src/type-system/index.ts	Formatting/line-break adjustments only; no API or behavioral changes.
Type System Tests test/type-system/formdata.test.ts	Re-enabled and expanded tests for nested objects/files, numeric coercion, repeated array fields, and updated assertions using response-based matching.
Validator Tests test/validator/body.test.ts	Large suite of new tests covering nested/dot-notation formdata, arrays-with-files, mixed payloads, and prototype-pollution defenses (__proto__, constructor, array index cases).

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant Adapter as WebStandardAdapter
  participant Handler as DynamicHandler
  participant Validator
  participant Route as RouteHandler

  Client->>Adapter: POST multipart/form-data (dot-notation keys, files)
  Adapter->>Adapter: parse FormData, detect arrays/JSON, guard dangerous keys
  Adapter->>Handler: pass normalized key/value map
  Handler->>Handler: normalizeFormValue -> setNestedValue (handle arrays/files)
  Handler->>Validator: validate/ decode body (may be async)
  Validator-->>Handler: validated body
  Handler->>Route: invoke route handler with nested body
  Route-->>Client: response

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• Fix nested formdata #1607: Related work on nested multipart/form-data coercion and schema rewrites to support nested form-data coercion.

Poem

🐰 I stitched the dots into a thread,

Files and fields tucked in my bed,
No proto trick can find its place,
Nested maps now hold their space,
Hooray—uploads hop with grace! 🥕✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: extend complex formdata support to StandardSchema' clearly describes the main change: extending multipart/form-data support to Standard Schema and enabling nested file uploads, which aligns with the primary objectives and the majority of code changes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/elysiajs/elysia@1697

commit: 563a873