Unknown field validation

[gustavohenke]

Description

This PR implements long awaited exact matching of requests, a.k.a unknown field validations.

It works by

1. grabbing all contexts and extracting the fields and locations that they validate; then
2. creating a recursive tree out of the known fields paths; for example, foo.bar becomes { foo: { bar: {} }; then
3. recursively iterating over each field under each validated request location, seeing if they match a known field or not.

I made the conscious decision of not including headers and cookies in the default validated locations.
The reason is a bit obvious: browsers will add stuff you weren't expecting.

The API is very flexible too. All of the below are valid:

// Only a single id param can exist
app.get('user/:id', checkExact(param('id').isInt()), getUserRoute);

// Only the email and password body properties can exist
app.post('login', checkExact([
	body('email').isEmail(),
	body('password').notEmpty()
], loginRoute);

// Same as above, but with a schema
app.post('login', checkExact(checkSchema({
	email: { isEmail: true },
	password: { notEmpty: true }
})), loginRoute);

// Same as above, but as separate middlewares
app.post('login', [
	body('email').isEmail(),
	body('password').notEmpty(),
	checkExact()
], loginRoute);

It's important to notice in the above that checkExact is always the last middleware, or one that wraps others.
That's because it will report fields from chains after it as unknown.

Note: performance wise, this might be slow, depending on what the request and the validation rules look like.

I'm not adding docs in this PR as I wish to revamp them before v7 is released.

To-do list

• I have added tests for what I changed.

• This pull request is ready to merge.

[coveralls]

Coverage: 100.0%. Remained the same when pulling c8a4642 on v7/check-exact into 327af8b on v7-features.

[gustavohenke]

Never really used

[gustavohenke]

Noteworthy. Let's see what happens after releasing this