New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Specify allow unknown params on a per-operation level #477
Conversation
const queryParams = Object.keys(query); | ||
const allowedEmpty = schema.allowEmptyValue; | ||
for (const q of queryParams) { | ||
if ( | ||
!this.requestOpts.allowUnknownQueryParameters && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This method processQueryParam
is only called in one place, and the allowUnknownQueryParameters
boolean is checked there beforehand, so this check is redundant. (Also with my change, it doesn't check the correct scope)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch! thanks for cleaning it up
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@JacobLey nice idea. thanks for implementing the feature.
have a few minor comments. it will also be great if you can update the README to include this
src/framework/types.ts
Outdated
@@ -161,6 +161,7 @@ export namespace OpenAPIV3 { | |||
deprecated?: boolean; | |||
security?: SecurityRequirementObject[]; | |||
servers?: ServerObject[]; | |||
'x-allow-unknown-query-parameters'?: boolean; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For now, I'd prefer not to add the vendor extension onto the OperationObject. Can you make this work without it (should be doable with a little TypeScript pain)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed.
Using !!
Typescript automatically converts the any
to boolean
. Which seems like enough to me.
I could explicitly cast to boolean, or perhaps even better check typeof === 'boolean'
but that seems like a bit overkill.
I guess the caveat is x-allow-unknown-query-parameters: definitely not a bool
will get converted to true
@@ -125,7 +130,7 @@ export class RequestValidator { | |||
|
|||
mutator.modifyRequest(req); | |||
|
|||
if (!this.requestOpts.allowUnknownQueryParameters) { | |||
if (disallowUnknownQueryParameters) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
!allow...
const queryParams = Object.keys(query); | ||
const allowedEmpty = schema.allowEmptyValue; | ||
for (const q of queryParams) { | ||
if ( | ||
!this.requestOpts.allowUnknownQueryParameters && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good catch! thanks for cleaning it up
I updated the existing |
Yep. i somehow overlooked it. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome!
@JacobLey this is available in v4.8.0 |
…o#477) * feat: Specify allow unknown params on a per-operation level * chore: Additional Prettier fixes * fix: do not modify vendor typing, use `!allow` over `disallow`
I came across a use case where I should allow unknown query params (An OAuth RedirectURI which may be given extra unnecessary context, but since "consumers" of this API are not calling it directly, I don't want to reject the entire request for providing extra query params).
However as a general rule I like to go with the default
allowUnknownQueryParameters=false
. Since that is a validator-wide option, it wasn't possible to break the rules for just one operation.I took a stab at implementing a per-operation override using OpenAPI's custom properties. Now I can keep strict rules on the rest of my endpoints.
I included tests and documentation as well. I figure the naming is pretty obvious, and low-risk of colliding with existing use cases that don't intend to do the exact same thing.
I can create an actual issue to discuss other alternatives if this is not an acceptable solution.