jsonapi allows illegal attribute names

[mark-hartmann]

The following attribute names are forbidden in the json schema: relationships, links, id, type:

"attributes": {
  "description": "Members of the attributes object (\"attributes\") represent information about the resource object in which it's defined.",
  "type": "object",
  "patternProperties": {
    "^[a-zA-Z0-9](?:[-\\w]*[a-zA-Z0-9])?$": {
      "description": "Attributes may contain any valid JSON value."
    }
  },
  "not": {
    "anyOf": [
      {"required": ["relationships"]},
      {"required": ["links"]},
      {"required": ["id"]},
      {"required": ["type"]}
    ]
  },
  "additionalProperties": false
}

The solution is quite simple and can be easily integrated into the existing Schema.Check function, where it is only a matter of iterating the attributes and checking their names. The attribute names must also be checked against the regex defined in the patternProperties member: ^[a-zA-Z0-9](?:[-\\w]*[a-zA-Z0-9])?$.

[mark-hartmann]

This check will be done in Type.AddAttr instead, the Schema.Check function will remain as it is for now. A different problem are object attributes, because based on the specification member names of links and relationships are forbidden.

There are basically two possibilities here:

1. the result of GetZeroValue is checked to see if it is a map or struct and then its field names are checked. The problem is that a custom MarshalJSON function could exist, which actually converts illegal field names into valid names.

2. the result of GetZeroValue is converted to json and then unmarshalled into a map whose keys are checked. The problem is that one can't really predict how the marshaller will handle zero values, which means that illegal fields might slip through the validation when empty fields are omitted.

[mark-hartmann]

The implementing user is responsible for validating the member names of struct or map attributes.