feat: Specify allow unknown params on a per-operation level #477
Conversation
| const queryParams = Object.keys(query); | ||
| const allowedEmpty = schema.allowEmptyValue; | ||
| for (const q of queryParams) { | ||
| if ( | ||
| !this.requestOpts.allowUnknownQueryParameters && |
There was a problem hiding this comment.
This method processQueryParam is only called in one place, and the allowUnknownQueryParameters boolean is checked there beforehand, so this check is redundant. (Also with my change, it doesn't check the correct scope)
There was a problem hiding this comment.
good catch! thanks for cleaning it up
src/framework/types.ts
Outdated
| @@ -161,6 +161,7 @@ export namespace OpenAPIV3 { | |||
| deprecated?: boolean; | |||
| security?: SecurityRequirementObject[]; | |||
| servers?: ServerObject[]; | |||
| 'x-allow-unknown-query-parameters'?: boolean; | |||
There was a problem hiding this comment.
For now, I'd prefer not to add the vendor extension onto the OperationObject. Can you make this work without it (should be doable with a little TypeScript pain)
There was a problem hiding this comment.
Removed.
Using !! Typescript automatically converts the any to boolean. Which seems like enough to me.
I could explicitly cast to boolean, or perhaps even better check typeof === 'boolean' but that seems like a bit overkill.
I guess the caveat is x-allow-unknown-query-parameters: definitely not a bool will get converted to true
| @@ -125,7 +130,7 @@ export class RequestValidator { | |||
|
|
|||
| mutator.modifyRequest(req); | |||
|
|
|||
| if (!this.requestOpts.allowUnknownQueryParameters) { | |||
| if (disallowUnknownQueryParameters) { | |||
| const queryParams = Object.keys(query); | ||
| const allowedEmpty = schema.allowEmptyValue; | ||
| for (const q of queryParams) { | ||
| if ( | ||
| !this.requestOpts.allowUnknownQueryParameters && |
There was a problem hiding this comment.
good catch! thanks for cleaning it up
I updated the existing |
Yep. i somehow overlooked it. Thanks! |
|
@JacobLey this is available in v4.8.0 |
…o#477) * feat: Specify allow unknown params on a per-operation level * chore: Additional Prettier fixes * fix: do not modify vendor typing, use `!allow` over `disallow`
I came across a use case where I should allow unknown query params (An OAuth RedirectURI which may be given extra unnecessary context, but since "consumers" of this API are not calling it directly, I don't want to reject the entire request for providing extra query params).
However as a general rule I like to go with the default
allowUnknownQueryParameters=false. Since that is a validator-wide option, it wasn't possible to break the rules for just one operation.I took a stab at implementing a per-operation override using OpenAPI's custom properties. Now I can keep strict rules on the rest of my endpoints.
I included tests and documentation as well. I figure the naming is pretty obvious, and low-risk of colliding with existing use cases that don't intend to do the exact same thing.
I can create an actual issue to discuss other alternatives if this is not an acceptable solution.