express-openapi-validator icon indicating copy to clipboard operation
express-openapi-validator copied to clipboard

Published 20 hours ago • verified publisher icon cdimascio

Exclude response validation that is not in api spec

Open rienheuver opened this issue 4 years ago • 3 comments

Related problem We use the response validation, but it also tries to validate responses that should not be validated. We use the ApiExcludeEndpoint decorator from nestjs/swagger on some endpoints to exclude it from our api-spec. However, the validator will still try to check it and then errors:

Cannot convert undefined or null to object

Preferred solution An option to exclude endpoints that are not present in the api-spec. Related issues: #224, #141, #52. The problem is that ignorePaths is not flexible enough: we want to exclude only certain http-methods on a path. So DO validate GET on /users/{userId} but DON'T validate POST on /users/{userId} for example. From a maintenance perspective of our codebase it would also be much better to just set an option like ignoreUndocumented once.

Alternatives Not exclude these routes from our api-spec? :P We want to remove certain routes from our api-spec because they can't be implemented by third-parties. Only our first-party application can use those routes.

rienheuver avatar Apr 13 '21 11:04 rienheuver

this error seems like a bug Cannot convert undefined or null to object. it should return 404 given, can you provide an example?

i will consider ignoreUndocumented.

cdimascio avatar Apr 18 '21 04:04 cdimascio

Thanks for your reply! Can't provide an example right now, our repo is too complex to share. I believe these are the steps to reproduce though:

  1. generate/write api-spec for your api
  2. remove a certain http-verb from an endpoint. E.g. remove POST /users, but keep GET /users. Maybe removing entire endpoint works as well, not sure
  3. turn on validateResponses

Is that enough information?

And the ignoreUndocumented is quite necessary for us since we can't validate our API now because ignorePaths cannot distinguish between HTTP-verbs within an endpoint.

rienheuver avatar Apr 19 '21 08:04 rienheuver

EDIT: I realised that this has been properly addressed in https://github.com/cdimascio/express-openapi-validator/pull/637. Thus, this issue should probably be closed?

@rienheuver I know this issue is old, but I have a suggestion for this issue with existing code and maybe it still helps your or someone else:

If you are using a setup similar to the NestJS example, you can configure which routes the validator is applied to. In the example, it's set to all routes, but you can easily set it to certain routes or exclude certain routes. The drawback is that you will have some amount of duplicated configuration, but at least NestJS provides a variety of ways to configure it effectively.

It might be even worth considering extending the example to show-case this.

ahilke avatar Feb 06 '24 16:02 ahilke