[BUG] JSON double-encoding when using res.json() and validator.responseValidation

[Mick605]

Describe the bug

When using res.json() to create a response while the configuration validator.responseValidation is true, the content of the response gets double encoded in JSON.

To Reproduce

Steps to reproduce the behavior:

1. Create a controller with res.json(), such as:

export function listPets(req, res) {
    res.json({
        message: 'This is a mockup controller'
    });
}

2. Set the validator.responseValidation configuration to false
3. Call the API endpoint. The result is a valid JSON object:

{
  "message": "This is a mockup controller"
}

4. Set the validator.responseValidation configuration to true
5. Call the API endpoint again. The JSON object got double-encoded:

"{\"message\":\"This is a mockup controller\"}"

Expected behavior

The result should not be JSON encoded twice when using res.json()

Notes

• The problem only occurs when using res.json() to generate the response, not when using res.send().
• This problem leads to validation errors, because the double encoded string is not matching the provided schema:

[oas-tools] WARN: Wrong data in response.
Validation failed at #/type > must be object

[Mick605]

The problem seems to come from the interception of the res.send function done in oas-validator.js, line 102

  /* Intercepts response */
  const oldSend = res.send;
  res.send = function send(data) {
    // here, data parameter can be either object or string
   ...
  }

The data parameter can either be of type object or string, depending on the way the response is generated:

• when using res.send(object), data will be an object
• when using res.json(object), data will be a JSON encoded string

It seems that there is not enough information in the current interceptor to differenciate these cases. Testing if data looks like a JSON encoded string is not a solution because someone could want to use res.send() to send an already JSON encoded string.

Intercepting also the res.json method in oas-validator.js seems to be tricky, because the original res.send from Express calls res.json internally in some cases, and res.json calls res.send internally too...

In my opinion, the interception should be made at a lower level, to avoid these problems. The interception itself could be made with an external library, such as express-interceptor. Using a low-level interceptor also has the benefit to allow more use cases of response generation, such as calling res.write() directly.

[alesancor1]

Hello, Mick, I agree with what you say about intercepting responses at a lower level. Ideally, it is the res.write( ) method what should be overriden, since it is what writes the data to the stream before calling res.end( ). I'll study how express-interceptor works and try to fix that.

[agnoam]

Hey, any news about this?