open-api icon indicating copy to clipboard operation
open-api copied to clipboard

Published 20 hours ago verified publisher icon kogosoftwarellc

express-openapi not coercing parameters that use a $ref in their schema

Open chadxz opened this issue 4 years ago • 8 comments

When I use a parameter like this:

parameters:
  - name: flag
    in: query
    schema:
      $ref: '#/components/schemas/SomeFlag'

where the component looks like this:

components:
  schemas:
    SomeFlag:
      type: boolean

The parameter that ends up in my controller action hasn't been parsed as the appropriate type. If i inline the schema it works as expected.

Here's a minimal reproduction of my issue: https://github.com/chadxz/param-ref-repro

When i was debugging the issue it looks like there's no support for $ref in openapi-request-coercer, but I don't know if the schema refs should have been resolved prior to getting to that library or not.

chadxz avatar Mar 26 '20 22:03 chadxz

I ran into a similar problem using version 6.0.0 on npm, specifically the nullable flag wasn't being recognized for a field in the requestBody.

      requestBody:
        content:
          'application/json':
            schema:
              required:
                - project
              properties:
                project:
                  $ref: '#/components/schemas/Project'

where the component looks like this:

components:
  schemas:
    Project:
      type: object
      properties:
        owner:
          description: Username that owns the project.
          type: string
          nullable: true

sending this data

{"project":{"owner":null}}

gives this error.

[
  {
    "path": "project.owner",
    "errorCode": "type.openapi.requestValidation",
    "message": "should be string",
    "location": "body"
  }
]

@chadxz As I workaround, I found using json-schema-ref-parser works. Essentially dereference all of the $ref in the API spec before passing to initialize.

schristley avatar Apr 15 '20 19:04 schristley

is this still an issue?

jsdevel avatar May 19 '20 22:05 jsdevel

As far as I know yes

chadxz avatar May 19 '20 23:05 chadxz

I have same problem too. version 6.0.0

ddzero2c avatar Jun 12 '20 05:06 ddzero2c

It is still an issue in December... version 7.2.0 I've attempted to exactly follow the openApi doc, but I get the same result.

https://swagger.io/docs/specification/describing-parameters/

duinness avatar Dec 14 '20 19:12 duinness

please submit a PR

jsdevel avatar Dec 16 '20 17:12 jsdevel

This appears to be a duplicate of issue 483. My team began walking through the source code expecting to open a PR and decided the easiest solution is to do what @jberger (from issue 483) and @schristley (above) suggested and to just pre-parse the schemas.

duinness avatar Jan 04 '21 15:01 duinness

Parameter validations shouldn't silently be ignored; it is important to avoid false negatives. In a worst-case scenario this could be a security issue (though it would likely be detected before then). If express-openapi cannot and will not handle these valid openapi documents it should at least throw an exception when it notices the case.

jberger avatar Jan 04 '21 15:01 jberger

From what I see the issue is that openapi-jsonschema-parameters just removes the $ref for any kind of parameters (added some test driven test to verify that). From what I see here it should be supported

sshahar1 avatar Jun 28 '23 09:06 sshahar1