[CWM] Investigate API validation libraries for MykoMap

[ms0ur1s]

Created after whiteboard #267

Description:

Research and evaluate API validation libraries that can be integrated into the MykoMap backend. The chosen library should ensure that incoming requests are properly validated against the API schema, as defined in the Swagger spec.

Objectives:

• Identify potential validation libraries compatible with the tech stack.
• Compare the pros and cons of each library, considering factors like ease of integration, performance, and community support.
• Recommend the best library for use in MykoMap.

Acceptance Criteria:

• A short report or summary document comparing the chosen validation libraries.
• A recommendation for which library to use, supported by reasoning.
• Create a follow-up issue to integrate the chosen library into the MykoMap backend.

[wu-lee]

Just to note that Fastify, a framework which we're trialling for the back-end server, uses AJV for this.

Others I've heard of, off the top of my head, are

• zod
• yup

There are quite a lot of others I think. I did have an article comparing these to hand once, when I was researching this for Mykomap config validation, but I can't find it again at the moment.

[rogup]

I was having a look at few different options and this looks promising, and works nicely with a front-end and leverages the benefit of typescript and having code in a monorepo https://trpc.io/

It can integrate easily with fastify and uses Zod, which people seem to say works well with Typescript (on that note, I think we also need to convert the BE to typescript soon, so that it doesn't become a big task to change it later).

Then, I think we are able to generate the openapi spec from our tRPC routes, and use our code as the source of truth.

Edit After doing a bit more digging, it looks like tRPC doesn't actually integrate that well with REST and prefers to define APIs in its own way. The library to generate or consume OpenAPI specs looks like it's no longer maintained https://github.com/jlalmes/trpc-openapi

A better alternative that I've found is ts-rest https://ts-rest.com/

• It is based on REST and has better support for OpenAPI generation https://ts-rest.com/docs/open-api
• It looks like it's a lot more flexible and lightweight than tRPC and doesn't require as much coupling between the front-end and back-end, instead using a shared REST 'contract' that is defined in typescript in a shared api lib.
• There's some nice functionality for defining fake APIs for unit tests https://ts-rest.com/docs/guides/fake-apis

The only disadvantage compared with tRPC that I can see so far is that it doesn't have built-in integration with as many runtime validation libraries, only Zod. But Zod seems like one of the top choices of validator anyway, especially with Typescript code, and the one recommended with tRPC, so this doesn't matter too much.

The other main alternative I found was https://github.com/ecyrbe/zodios which is similar to ts-rest but seems to be less actively maintained and a bit less flexible (e.g. only supports Express, not Fastify)

[rogup]

Have discussed with Nick, who is happy for us to have a go with ts-rest + Zod