swagger-tools
swagger-tools copied to clipboard
apigee-127
validateContentType validates MIME type of request for POST and PUT only
The content type validation of a request is limited to POST and PUT at [1].
PATCH and DELETE should also be validated.
[1] https://github.com/apigee-127/swagger-tools/blob/c9f8e3ba570c305c2af69cbe55a30a515b2f0a1e/lib/validators.js#L249
PATCH makes sense to me but DELETE doesn't. But at the same time, I did some digging and since there is no explicit mention in the spec that a body is forbidden for DELETE, I can make both changes.
Thanks, @whitlockjc. Please consider the following:
Roy T. Fielding wrote at [1]:
any HTTP request message is allowed to contain
a message body, and thus must parse messages with that in mind.
Server semantics for GET, however, are restricted such that a body,
if any, has no semantic meaning to the request. The requirements
on parsing are separate from the requirements on method semantics.
Given Roy's comment please consider removing the method check altogether. If the API developer explicitly declares that a method consumes a particular media type, the validator should perform the media type validation. A good API design would not include a body on a GET, but all the good implementations out there that use this lib shouldn't have to pay the cost (albeit nominal) of the additional method check.
[1] https://groups.yahoo.com/neo/groups/rest-discuss/conversations/messages/9962
@whitlockjc should the method check be removed entirely (every method's body, if present, will be validated against the desired content type) or should we exclude GET? Personally, I think we should exclude the GET, but I'm not married to that.
Furthermore, HEAD should follow GET in its treatment, and OPTIONS isn't explicitly excluded, but according to RFC, it isn't technically supposed to have a request body, however in the event that OPTIONS does include a request body, it must include a Content-Type header. source
Maybe we just remove the filtering based on HTTP method. If "any HTTP request message is allowed to contain a message body", who are we to disallow sending and validating it?