prism icon indicating copy to clipboard operation
prism copied to clipboard
verified publisher icon stoplightio

Request Parameter Validator does not ignore Header parameters with name `Accept`, `Content-Type` or `Authorization`

Open thejamescollins opened this issue 3 years ago • 0 comments

Context

Thanks for this very useful package 😀

I believe I have found an issue where Prism behaves differently from how the OpenAPI specification describes things should behave.

Current Behavior

When validating a request using an OpenAPI specification that contains a Parameter definition for a header parameter named Authorization, the following validation error occurs:

[HTTP SERVER] get /users ℹ  info      Request received
[NEGOTIATOR] ℹ  info      Request contains an accept header: */*
[VALIDATOR] ⚠  warning   Request did not pass the validation rules
[NEGOTIATOR] ⬤  debug     Unable to find a 422 response definition
[NEGOTIATOR] ⬤  debug     Unable to find a 400 response definition
[NEGOTIATOR] ✔  success   Created a 422 from a default response
[NEGOTIATOR] ✔  success   Found response 422. I'll try with it.
[NEGOTIATOR] ⬤  debug     Unable to find a content with an example defined for the response 422
[NEGOTIATOR] ✔  success   Responding with the requested status code 422
[VALIDATOR] ✖  error     Violation: request.header.authorization must match format "uuid"

The last line in the above output is the issue:

[VALIDATOR] ✖  error     Violation: request.header.authorization must match format "uuid"

Expected Behavior

This Authorization parameter should be ignored by the Prism validator, according to https://swagger.io/specification/#parameter-object

If in is "header" and the name field is "Accept", "Content-Type" or "Authorization", the parameter definition SHALL be ignored.

I believe all Header parameters named Accept, Content-Type or Authorization should be ignored entirely in the validator.

Possible Workaround/Solution

In the Validator code, I believe any request Parameters (query, header, path or cookie) with a name of Accept, Content-Type or Authorization should be entirely ignored by Prism. i.e. it should behave as if those Parameters do not exist in the mocked specification at all.

Steps to Reproduce

Minimal OpenAPI specification:

openapi: 3.0.0
info:
  title: Test API
  version: "1"
paths:
  /users:
    get:
      description: Get users
      parameters:
        - name: Authorization
          in: header
          schema:
            type: string
            format: uuid
      responses:
        default:
          description: response description
      security:
        - basicAuth: []
components:
  securitySchemes:
    basicAuth:
      type: http
      scheme: basic

Start prism mock pointing to the above spec:

prism mock minimal.yaml

Run the following command:

curl -v --header "Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=" http://127.0.0.1:4010/users

The prism output is as shown in the Current Behavior section above.

Environment

  • Version used: 4.9.2
  • Environment name and version: node v17.9.0
  • Operating System and version (desktop or mobile): macOS Monterey
  • Link to your environment/workspace/project: N/A

Acknowledgement

I'd like to thank @om4csaba for helping me research and report this issue.

thejamescollins avatar May 12 '22 03:05 thejamescollins