Body parser ignores Dto structure.

Bug Report

Current behavior

While using POST over controller and passing Body as an DTO object it seems like we can still manipulate whole object, is it expected behaviour? How to change it so only attributes within DTO will be acceptable by the server?

Input Code

dto

export class CreateInstanceDto {
  name: string;
}

instance.service function

  async create(instanceBody: CreateInstanceDto, user: User): Promise<Instance> {
    try {
      const instance = new this.instanceModel(instanceBody);
      instance.createdBy = user.mail;
      await instance.save();
      return instance;
    } catch (e) {
      throw new BadRequestException(e.message.toString());
    }
  }

instance.controller

  @UseGuards(AuthGuard('jwt'))
  @Post()
  create(@Body() instanceDto: CreateInstanceDto, @Request() req): Promise<Instance> {
    return this.instanceService.create(instanceDto, req.user);
  }

instance.interface

export interface Instance {
  id?: string;
  name: string;
  active: boolean;
  status: any;
  createdAt: Date;
  createdBy: string;
  configuration: any;
}

instance.schema

import * as mongoose from 'mongoose';

export const InstanceSchema = new mongoose.Schema({
  name: {required: true, type: String, index: {unique: true}},
  active: {type: Boolean, default: false},
  status: {type: Map, default: {
      database : false,
      environment : false,
      configuration : false,
      language : false,
    }},
  createdAt: {type: Date, default: Date.now},
  createdBy: {type: String},
  configuration: {type: Map, default: {}},
});

Expected behavior

Once I post anything else than name it should ignore all other inputs. Right now if I pass name:“xxx” and active:true, object xxx is created with active status as true instead of default false provided by the schema.

Environment

Nest version: 6.6.4
 
For Tooling issues:
- Node version:  v10.15.3
- Platform: Windows