swagger-tools
swagger-tools copied to clipboard
apigee-127
Strict validation mode for undefined parameters?
I wonder if it would be useful to have a strict validation mode for input parameters? This way the API could automatically respond with an error if params are included that are not defined in the Swagger spec (validation right now is only for type/format/required). This could be really useful for query, body, and formData parameter types. Probably not so desirable for header params, and not really relevant to path parameters (which already get validated fully).
As it stands right now, controller code has to revalidate passed parameters before saving (you can't just use the body or formData and stick it in a db, as even unspecified fields get saved). Same with query parameters: unspecified ones have to be validated and omitted manually, and the controller needs to return their own errors here so as not to confuse API consumers.
Any thoughts?
Not that I'm aware of. I created an issue here: https://github.com/apigee-127/sway/issues/94
+1 Would really need this, having to double check everything before saving to the db is a pain.
To anyone coming here from google:
This feature basically already exists, although you have to opt in to it on each route by setting additionalProperties: false in your Swagger specification. This will cause the API to respond with an error if the request includes properties that are not defined in your spec. This can for example allow you to just stick the body right in the db without having to revalidate the parameters to prevent an attacker from sending whatever they want into the db.
Here's an example of a specification in yaml:
/api/example:
post:
- name: things
in: body
required: true
schema:
type: object
properties:
id:
type: integer
format: int64
name:
type: string
additionalProperties: false
Notice the last line. Swagger-tools will now prevent anyone from sending properties on the body other than id and name.
