express-openapi not coercing parameters that use a $ref in their schema

[chadxz]

When I use a parameter like this:

parameters:
  - name: flag
    in: query
    schema:
      $ref: '#/components/schemas/SomeFlag'

where the component looks like this:

components:
  schemas:
    SomeFlag:
      type: boolean

The parameter that ends up in my controller action hasn't been parsed as the appropriate type. If i inline the schema it works as expected.

Here's a minimal reproduction of my issue: https://github.com/chadxz/param-ref-repro

When i was debugging the issue it looks like there's no support for $ref in openapi-request-coercer, but I don't know if the schema refs should have been resolved prior to getting to that library or not.

[schristley]

I ran into a similar problem using version 6.0.0 on npm, specifically the nullable flag wasn't being recognized for a field in the requestBody.

      requestBody:
        content:
          'application/json':
            schema:
              required:
                - project
              properties:
                project:
                  $ref: '#/components/schemas/Project'

where the component looks like this:

components:
  schemas:
    Project:
      type: object
      properties:
        owner:
          description: Username that owns the project.
          type: string
          nullable: true

sending this data

{"project":{"owner":null}}

gives this error.

[
  {
    "path": "project.owner",
    "errorCode": "type.openapi.requestValidation",
    "message": "should be string",
    "location": "body"
  }
]

@chadxz As I workaround, I found using json-schema-ref-parser works. Essentially dereference all of the $ref in the API spec before passing to initialize.

[jsdevel]

is this still an issue?

[chadxz]

As far as I know yes

[ddzero2c]

I have same problem too.
version 6.0.0

[duinness]

It is still an issue in December... version 7.2.0
I've attempted to exactly follow the openApi doc, but I get the same result.

https://swagger.io/docs/specification/describing-parameters/

[jsdevel]

please submit a PR

[duinness]

This appears to be a duplicate of issue 483.
My team began walking through the source code expecting to open a PR and decided the easiest solution is to do what @jberger (from issue 483) and @schristley (above) suggested and to just pre-parse the schemas.

[jberger]

Parameter validations shouldn't silently be ignored; it is important to avoid false negatives. In a worst-case scenario this could be a security issue (though it would likely be detected before then). If express-openapi cannot and will not handle these valid openapi documents it should at least throw an exception when it notices the case.

[sshahar1]

From what I see the issue is that openapi-jsonschema-parameters just removes the $ref for any kind of parameters (added some test driven test to verify that).
From what I see here it should be supported